October 9, 2015 By Douglas Bonderud 3 min read

There’s a new remote-access Trojan (RAT) sniffing around corporate systems. According to Threatpost, Israeli security firm enSilo came across the RAT inside a customer’s network, and while researchers aren’t sure how the Trojan nibbled its way through, they are certain it poses significant risk.

So far the new threat, named Moker, hasn’t been spotted anywhere else. But a combination of a sophisticated installation process and numerous attempts to deceive researchers with fake code make it a RAT worth studying. Here’s what the IT community knows so far.

Risky Rodents

RATs are a great end game for cybercriminals since they allow total control over a host system. Often, RATs aren’t the first thing on victimized machines. Instead, malware creators use phishing techniques and dubious email links as a jumping-off platform, convincing users to download small malware attachments that in turn contact host servers and let the RATs run free. Moker is different, since enSilo has never seen anything similar before and isn’t sure how the program made it onto corporate networks or where it’s sending exfiltrated data.

What do they know? Moker targets Windows machines and can bypass traditional protection methods such as antivirus solutions, sandboxing and virtual machines. Thanks to a clever exploit of the User Account Control (UAC) system, it can even override the need for admin permission to make system-level changes. The remote-access Trojan also takes step to elude capture: According to enSilo’s Senior Security Researcher Yotam Gottesman, the RAT’s detection avoidance measures “included encrypting itself and a two-step installation.”

What’s more, Moker evades analysis even after being caught by adding extraneous code and superfluous instructions designed to lead researchers in the wrong direction. Once active in a network, this RAT can sniff out data, take screenshots, record Web traffic, log keystrokes and even add new admin accounts. Put simply: It’s filthy, disease-ridden and could cause serious harm.

Bad Actors, Worse Networks?

There’s some hope on the horizon. enSilo has never seen this Trojan out in the wild and, with any luck, will reverse engineer the code enough that new versions of the same basic package won’t present so great a threat. And cybercriminals themselves may help the cause of stopping RATs in their tracks: According to eWEEK, they often “misconfigure their management nodes for commodity remote-access Trojans” by not changing default ports on the software.

More advanced attackers change the port to prevent detection, but as RATs become more common and available for free or a nominal fee, the number of home-brew attackers is on the rise. With ports left open, it’s easy for IT security pros to scan possible attack vectors, identify unique text strings and discover malicious IP addresses.

On the flip side is the Internet of Things. Silicon Republic noted that as the number of network-connected devices ramps up, so, too, does cybercriminals’ ability to cause total device failure. Attackers and security researchers have already caused Internet-enabled cars to stop mid-drive and medical drug pumps to change dosage without the approval of medical personnel.

Security firms are now starting to track massive RAT networks designed to compromise devices of all types and take complete control. With many of these devices already lacking basic security measures, something like Moker may not be necessary — the security maze is so simple that even the slowest, dumbest RATs have a chance to reach the virtual cheese.

The Moker RAT shouldn’t be surprising. As malware security advances, cybercriminals keep pace. For companies, there’s a simple takeaway: Total security is an illusion. No antivirus, sandbox or control mechanism is foolproof. They’re better used in unison, but active oversight — either in-house, from a third party or both — is necessary to catch these RATs before they memorize the maze.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today