Remote access trojans (RATs) on a corporate system may serve as a key pivot point to access information laterally within an enterprise network. By analyzing network metadata, Recorded Future analysts were able to identify RAT command-and-control (C2) servers, and more crucially, which corporate networks were communicating to those controllers. This approach allows Recorded Future to provide insight about third-party organizations that our clients may rely upon, enabling a better understanding of potential third-party risk to their own data.
Insikt Group used the joint Recorded Future and Shodan Malware Hunter project and the Recorded Future Platform to identify active malware controllers for 14 malware families between December 2, 2018 and January 9, 2019. We then focused our analysis on a subset of malware — Emotet, Xtreme RAT, and ZeroAccess — to profile RAT communications from third-party organizations to the controllers.
Source: Recorded Future