New Moker RAT Bypasses Detection

Moker, a new remote access Trojan targeting Windows machines, can effectively mitigate security measures and grant an attacker full access to the system.

Researchers warned Tuesday the latest APT to make the rounds features a remote access Trojan that can effectively mitigate security measures on machines and grant the attacker full access to the system.

Experts with the Israeli cyber security start-up enSilo discovered the RAT – which they refer to as Moker – lurking inside one of their customers’ networks but admit they aren’t sure how it got there.

In fact Yotam Gottesman, a senior security researcher with the firm, believes little was known about the malware until they stumbled upon it, pointing out that Moker hasn’t appeared on VirusTotal yet.

Perhaps that’s because the RAT, which targets Windows machines, is especially skilled when it comes to not getting caught.

According to researchers, Moker can bypass antivirus, sandboxing, virtual machines, and by exploiting a design flaw, User Account Control, the Windows feature that’s supposed to give users a heads up when a program makes a change that requires administrator-level permission. The malware apparently even applies anti-debugging techniques after its been detected to help avoid malware dissection and to further deceive researchers.

“[Moker’s] detection-evasion measures included encrypting itself and a two-step installation,” Gottesman wrote on Tuesday.

“Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.”

Once embedded on a system, the RAT could cause a real headache for users. An attacker could more or less take full control of the device to take screenshots, record web traffic, sniff keystrokes, and exfiltrate files. They could also leverage the malware to create new user accounts, modify system security settings, and inject malicious code during runtime on the machine.

It’s unclear exactly who’s behind the malware – enSilo points out that the malware communicated with a server in Montenegro, a small Balkan nation that borders Serbia and Kosovo – but admits that this was probably done to throw off researchers and law enforcement.

In addition to the measures it takes to avoid detection, another interesting thing about the malware is that it doesn’t necessarily need to communicate with an external command and control server to do its bidding. The malware instead can receive commands locally via a hidden control panel.

The researchers assume the functionality was built into the RAT so an attacker could VPN into the system they’re targeting and pull strings from there, but acknowledge the feature also could’ve been inserted by the author for testing purposes.

While enSilo claims that Moker could have been a one time thing, the firm wouldn’t rule out the possibility that other RATs might borrow similar techniques later down the line.

“This case might have been a dedicated attack,” Gottesman wrote, “However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).

Suggested articles

Discussion

  • H. Carvey on

    Moker is not an APT...it's malware. Also, has anyone seen how this malware persists?
    • not_a_h4x3r on

      Moker IS an APT - what part of a RAT is not an Advanced Persistent Threat. I will begin to educate my response: 1. Advanced - Sophisticated techniques undertaken to exploit a system, the sec analysts are unsure what kernel this is aimed at if aimed at any however it can exploit known Windows vulnerabilities and exploit any low level sandboxing MS implemented on their grubs, simply because they can execute boot up code and UAC becomes redundant at software level. 2. Persistent - It's a RAT, how can this "Malware" not persist? contrary to reports, RATs cannot function without a host, the dev will have coded this to constantly relay over intervals, but if a user can create an PPTP, L2TP or SSTP split tunnel to virtually get on the LAN or route over RDP then that agent is always listening and always taking commands. If it had any intelligence it will just salt and hash any dumped data and then encrypt it such as keystrokes and relay over the victims WAN when it's next online, it will decide this on the LAN/WLAN NIC status but again it's pointless unless they are not spearing and specifically targetting orgs. 3. Threat - An entity is required to conduct this attack (Most notably human, but could be your dog) albeit Social Engineering, Phishing, or any other form of network intrusion. Conclusion; Mokar is a RAT, and RAT's happen to fall under the malware category.
  • H. Carvey on

    Moker is a RAT, but it is not APT.
  • J.L. on

    There is NO such category as an APT, an APT is a CAMPAIGN, not a piece of software created for malicious intent.
07/16/18 7:00
Deceased patient data is being sold on the Dark Web: https://t.co/UMQkYI9qKk

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.