I smell a RAT

According to Dell’s SecureWorks Counter Threat Unit, since April this year, hackers using a Remote Access Trojan (or RAT for short) named Mirage have been conducting systematic cyber espionage against a Canadian energy company, a large oil firm in the Philippines and several other entities.  It is the second attack targeting oil companies to be found by SecureWorks this year.

According to SecureWorks, the domains of three of the command and control servers used to control Mirage appear to belong to the same individual or group of individuals.  Another interesting fact is that the IP addresses for the command and control servers belong to China’s Beijing Province Network.  This network was also implicated last year in an attack on security vendor RSA.  An attack which resulted in the theft of confidential information about RSA’s SecurID two-factor authentication technology.  Command and control servers from the Beijing Province Network were also involved in the 2009 GhostNet cyber espionage campaign.

Mirage has so far affected companies in Canada, the Phillippines, a Taiwanese military organization, and other entities in Nigeria, Egypt, Brazil, and Israel, according to SecureWorks researcher Joe Stewart.  The Mirage malware itself is designed to evade easy detection,  and its communications with its command and control servers are disguised as the URL traffic pattern associated with Google searches.  One of the ways Mirage gets into networks is by tricking mid-level to senior executives with phishing emails containing attachments meant to install Mirage onto their systems.

Also, over the past few months, several customized variants of Mirage were discovered.  They had been designed to evade detection by anti-virus, as well as anti-malware programs.





5 thoughts on “I smell a RAT

  1. This is a great example of the increased presence of more international hack attacks (no rhyme intended). The increase in international cyber crime should bring attention to the need of the creation of a set of laws to set international standards for persecution and punishment. The international community needs to take action and fast before this gets even more out of hand.

  2. I think it’s interesting how Mirage can be so sophisticated, yet the way it injects itself is through a phishing email. I guess that just goes to show you that one of the best exploits is still human error.

  3. I have been reading about the malware named Flame, and it’s associated derivatives. Flame only showed up in specific locations and was labeled as a tool for a targeted attack. Targeted, meaning that once a computer is infected it predominately spreads locally. Is RAT or Mirage labeled as being targeted?

Comments are closed.