Back in 2012, a key player involved with the prominent Remote Administration Tool (RAT) known as Blackshades RAT was reportedly arrested. Despite his alleged arrest, and with its code leaked in 2010, the tool is still being sold and used in cybercriminal activity. Symantec Security Response has noticed that the use of the RAT has increased over the last five months.
Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several other malware families.
Figure 1. Shadesrat evolution since July 2013
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits.
When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information.
During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
Figure 2. Exploit kits used by C&C servers from September and October until arrest
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
Figure 3. Exploit kits used by C&C servers from October and November after arrest
Once an unsuspecting user has been compromised, multiple payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities.
The C&C servers also spread the following other malware threats.
Figure 4. Threats spread by C&C servers in September and October
We used our telemetry systems to locate where the C&C servers are located and where the W32.Shadesrat infections are more prominent.
Figure 5. C&C server locations
Figure 6. W32.Shadesrat infections
Lithuania and the United States host the highest amount of C&C servers. India is the most affected country, followed by the United States and the United Kingdom, but countries all around the world have been affected by W32.Shadesrat.
The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies.
This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up to date and that your antivirus solution has the latest definitions.