Connect with us

Hi, what are you looking for?



Rarstone RAT Being Used in Targeted Attacks in Asia: Trend Micro

Trend Micro researchers have found evidence of the Rarstone remote access tool (RAT) in targeted attacks against various organizations in the telecommunications and energy industries in Asia.

Trend Micro researchers have found evidence of the Rarstone remote access tool (RAT) in targeted attacks against various organizations in the telecommunications and energy industries in Asia.

Rarstone has been used in targeted attacks in India, Malaysia, Singapore, and Vietnam, Maharlito Aquino, a threats analyst with Trend Micro, wrote on the company’s Security Intelligence blog Thursday. The spear phishing campaign relied on messages related to diplomatic discussions in the Asia-Pacific region, Aquino said. The messages contained a malicious RTF document exploiting flaws in Windows common control (CVE-2012-0158).

Microsoft patched the vulnerability in April 2012.

“Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities,” Aquino wrote.

The list of targeted industries is a little worrying, as it includes telecommunications, oil and gas, media, and government organizations. There have been a number of targeted attacks against the energy industries recently, with attackers out to steal information as well as cause damage.

When the unsuspecting recipient opens the attachment, it triggers a call to the command-and-control server to download the Rarstone backdoor while dropping a decoy document onto the user’s system. The user sees the decoy document and doesn’t notice the malware, which is loaded directly into memory, Aquino said.

Trend Micro named this particular campaign Naikon, after a useragent string (Nokian95/Web) included in the attacks. The vulnerability exploited by the Naikon emails was also used in the recent “Safe” campaign, which compromised several government agencies, media outlets, and other organizations.

Advertisement. Scroll to continue reading.

The attackers “clearly tried to make the work of security researchers more difficult,” Aquino wrote.

Because the RAT is loaded into memory, it is difficult to detect Rarstone using ordinary, file-based scanning technologies, and traditional defenses such as blacklisting and perimeter controls are not enough to detect or block these campaigns, Aquino said. Instead, organizations need to be scrutinizing their network traffic for suspicious packets.

Rarstone has characteristics similar to the older and better-known PlugX, according to Trend Micro. This malware family included the bombing at the Boston marathon in its repertoire of social engineering tricks. Rarstone differs from PlugX in that it can get installer properties from Uninstall Registry Keys, Aquino said. Not only does Rarstone know what applications are installed on the system, it knows how to uninstall them in case one of the applications interferes with its execution.

Rarstone also uses SSL to encrypt its communications with its C&C server, Aquino said. The domains used in Naikon were either dynamic DNS domains, or registered with registrars offering privacy protection.

Aquino did not include any other information about the targeted organizations in the post.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.