What Is a Remote Access Trojan?
A remote access Trojan (RAT) is a type of malware that allows a threat actor to execute commands on an infected system from a remote location—they do not need physical access to control the system. RATs are a backdoor to a system and are practical tools for stealing information such as files, keystrokes, passwords, screenshots, and webcam video or audio, and can be leveraged to conduct other attacks, such as lateral movement through a network and to import additional malware with extended capabilities like ransomware.
RAT malware can infect any device with network access, including desktop and laptop computers, mobile phones, tablets, IoT devices, peripherals such as printers, faxes, home security products, and smart home devices—and can be designed for any standard operating system. Some RATs are specifically designed malware, but many legitimate network administration tools intended for legitimate network operations can also be used as RATs as they offer remote system control capabilities.
RATs are a subcategory of Trojan malware. Trojans are executable applications, documents, or files with embedded executable code appearing as typical, innocuous functions. Trojans contain malicious, hidden components that infect or harm the target's device.
How Remote Access Trojans Work
Trojanized files are typically presented as legitimate or pirated software applications, Microsoft Office documents, or compressed files (typically .zip or .rar) and are included in social engineering campaigns to entice targets to open them. In some cases, a Trojanized file may use a false or obfuscated file extension to appear as an image file to pass through firewalls that filter high-risk files. Trojans can be distributed via phishing or malspam campaigns or made available for download on malicious and even legitimate websites. They can also be installed via attack vectors such as vulnerability exploits, direct physical access, or a USB key drop as bait.
Once the target has unwittingly infected their device, the RAT spawns a new malicious process or hijacks a legitimate process to evade detection and initializes a connection back to a remote command and control server (C2). Once the RAT has established a connection to the attacker's C2, it can automatically download and execute additional code, depending on the specifications of the target's system, or offer the attacker manual access to execute shell commands.
RATs are usually accompanied by an executable file such as a .exe file—but some include fileless malware that exists only as a process in RAM for added stealth. If a RAT can establish persistence, it will run each time the infected system is restarted. The extent of control a RAT has over the infected host is determined by its permission level at runtime. If the RAT is executed with user-level privileges, it can only perform actions that the user allows. However, if the RAT is executed with or can otherwise attain system-level privileges (e.g., administrator-, admin-, or root-level permissions) through further exploitation, the attacker will have a nearly unlimited attack scope.
How to Prevent a Remote Access Trojan Attack
There are several ways to reduce the risk of a RAT or other Trojan malware infection. The best way is to only execute or open files from a known, trusted source. This means only launching software that comes directly from the official vendor or an official app store. The same caution is warranted for documents that arrive as email attachments or are available for download. In some cases, configuring strict firewall rules may reduce the chances of infection or can be used to block a RAT from communicating back to its C2 server, but this is not always an effective defensive strategy—attackers may find ways to work around these rules.
Installing, configuring, and frequently updating endpoint security software provides additional protection against RAT malware.