What Is It?
RadRAT contains 92 functions that it can perform via its command and control (C2) server. These include extracting all manner of system information, taking screenshots, manipulation of files and the system registry, gathering of various types of credentials, uploading browsing history, enumeration of other systems on the network and capturing network traffic. It can even attempt to crack Windows passwords.
Dwell time is a term which likely gives more than a few cybersecurity professionals and C-level executives a nightmare or two. This term describes the period of time that elapses between a network being compromised and detection of the breach. Recent reports have shown average dwell time actually increased slightly during 2017 and in some geographies increasing significantly. An example of malware with a significant dwell time is RadRAT, a remote access trojan described in a recent Bitdefender whitepaper.
It is believed that RadRAT has been in the wild since 2015, despite multiple submissions to VirusTotal that ranged from April 2016 and March 2017. Prior to the release of the Bitdefender whitepaper, anti-virus detections for the three public samples ranged from non-existent to average at best. As its lack of detection is by design, researchers describe RadRAT as a sophisticated cyber-espionage tool possessing numerous data exfiltration and lateral movement functions.
How Does It Propagate?
The malware does not contain the necessary code to self propagate. The initial infection vector is unknown, due mainly to the dwell time of the samples.
When/How Did BluVector Detect It?
Of the three samples publicly available, BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detectedan average of 26 months prior to their discovery. However, all samples were also detected by models dating from 2015, indicating RadRAT would likely have been detected as soon as it was first believed to have been released into the wild.