The Ghost in the System: Technical Analysis of Remote Access Trojan

Although the cyberattacks in the past have been planned to block access and to destroy information, these now have turned into attacks that demand ransom or steal user's information. Malware designed for these purposes cause losses of reputation, customer and market loss problems in addition to user's financial losses. Attackers' new favorite, the Remote Access Trojan (RAT), allows viewing and modifying user's files and functions in the system, monitoring and recording user activity, and using the victim's system to attack other systems. RATs can easily hide in the system with their advanced methods of infection and can be present as ghost entities in the system without getting caught by the security software. Although new methods have been developed to solve the damage caused by RATs, a definite solution still has not been found since it's difficult to detect RAT's presence. In order to solve this problem, the identification of the threat and its consequences as well as the RAT's infectious activities in the target system and its manufacturer are of importance. This study discusses a detailed analysis of RAT detection on a real victim's computer, targeted by a real RAT attack. Behavior of the malware was analyzed in detail using static and dynamic analysis, and it was shown that the server connected through RAT was traceable through its whois information.