Rarstone RAT Being Used in Targeted Attacks in Asia: Trend Micro

Trend Micro researchers have found evidence of the Rarstone remote access tool (RAT) in targeted attacks against various organizations in the telecommunications and energy industries in Asia.

Rarstone has been used in targeted attacks in India, Malaysia, Singapore, and Vietnam, Maharlito Aquino, a threats analyst with Trend Micro, wrote on the company’s Security Intelligence blog Thursday. The spear phishing campaign relied on messages related to diplomatic discussions in the Asia-Pacific region, Aquino said. The messages contained a malicious RTF document exploiting flaws in Windows common control (CVE-2012-0158).

Microsoft patched the vulnerability in April 2012.

“Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities,” Aquino wrote.

The list of targeted industries is a little worrying, as it includes telecommunications, oil and gas, media, and government organizations. There have been a number of targeted attacks against the energy industries recently, with attackers out to steal information as well as cause damage.

When the unsuspecting recipient opens the attachment, it triggers a call to the command-and-control server to download the Rarstone backdoor while dropping a decoy document onto the user’s system. The user sees the decoy document and doesn’t notice the malware, which is loaded directly into memory, Aquino said.

Trend Micro named this particular campaign Naikon, after a useragent string (Nokian95/Web) included in the attacks. The vulnerability exploited by the Naikon emails was also used in the recent “Safe” campaign, which compromised several government agencies, media outlets, and other organizations.

The attackers “clearly tried to make the work of security researchers more difficult,” Aquino wrote.

Because the RAT is loaded into memory, it is difficult to detect Rarstone using ordinary, file-based scanning technologies, and traditional defenses such as blacklisting and perimeter controls are not enough to detect or block these campaigns, Aquino said. Instead, organizations need to be scrutinizing their network traffic for suspicious packets.

Rarstone has characteristics similar to the older and better-known PlugX, according to Trend Micro. This malware family included the bombing at the Boston marathon in its repertoire of social engineering tricks. Rarstone differs from PlugX in that it can get installer properties from Uninstall Registry Keys, Aquino said. Not only does Rarstone know what applications are installed on the system, it knows how to uninstall them in case one of the applications interferes with its execution.

Rarstone also uses SSL to encrypt its communications with its C&C server, Aquino said. The domains used in Naikon were either dynamic DNS domains, or registered with registrars offering privacy protection.

Aquino did not include any other information about the targeted organizations in the post.