Moker RAT Has Unusual Characteristics

Written by

A fresh remote access trojan (RAT) capable of taking complete control of the victim’s computer has been found in the wild, dubbed Moker.

According to the security team at enSilo, Moker is unique in its bypasses, and in its ability to disable security measures. This includes everything from security-dedicated measures such as antivirus, sandboxing and virtual machines, to Windows’ built-in security enhancements such as User Access Control (UAC).

enSilo said in an analysis that Moker targets Windows machines and can take complete control of the victim’s machine. It does this by creating a new user account and opening an RDP channel to gain remote control of the victim’s device. But, it can also operate without a command and control (C&C) server, and can receive its commands locally, through a hidden control panel.

This means that a threat actor can also login via something like a VPN using legitimate user credentials, and operate the malware on the infected device—and could be considered a “local access Trojan,” or LAT.

As for capabilities, it can tamper with sensitive system files and modify system-security settings, take screenshots, record web traffic, monitor key strokes and exiltrate files. It also injects itself into different system processes in order to replace legitimate code with malicious code during run-time.

Also, as opposed to more common malwares such as bankers, ransomwares and PoS scrapers, this threat hooks into the operating system (OS) in order to appear as a legitimate OS process and to access system-wide settings.

While Moker has so far been seen in one enterprise network in the wild, it will probably pop up elsewhere.

“This case might have been a dedicated attack,” enSilo researchers said. “However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).”

What’s hot on Infosecurity Magazine?