Rat Warning: WinSpy and GimmeRAT


Have you heard of RATs?

No, not rodent variety; we mean Remote Administration Tools. They’re all the rage amongst management teams that need to monitor unproductive workers and people who don’t trust their significant other. They’re also legitimate tools for tech support teams…and a favorite amongst aspiring hackers.

What is a RAT?

A Remote Administration Tool is software that allows another person to remotely access, control, and monitor your computer or mobile device. How is this legal!? Because RATs do actually have legitimate use. RATs allow tech support teams to take remote control of your computer and fix it for you. RATs are also useful for larger companies that need to monitor their employees’ computer usage. Unfortunately, RATs have also been adopted by those who propagate malware, to remotely – and covertly – watch what their victims are doing.

The Latest RAT Breed

Ever vigilant, the folks at FireEye have discovered a new RAT breed, evolved from the legal, proprietary WinSpy software. WinSpy is blatantly marketed as a monitoring software that will let you “Start Spying on any PC or Phone within the Next 5 minutes.” Certainly, this is a RAT that walks the legal line. FireEye has discovered, however, that WinSpy has been combined with a Trojan installer to target financial institutions.

The bait is as age-old as it is simple: a big hunk of cheese a spearphishing email containing either a malicious attachment or link. Opening the attachment or clicking the link will present the victim with a mock-up of some sort of banking document.  At the same time, and in the background,  a covert installation of WinSpy is initiated.

Known Subspecies

SHA1: d4c3fa5fc299efba794cd24b6755f552471144ff
Detected by Emsisoft as: Gen:Variant.Kazy.298844 (B)

SHA1: e4af6f43bce306f566798a47357211359a811faa
Detected by Emsisoft as: Trojan.Generic.KDV.538313 (B)

SHA1: b04ef81e15182dd6eccf8c5f5bc20df4f0a72d04
Detected by Emsisoft as: Trojan.Generic.4055500 (B)

SHA1: 26ad4939383129965bfd6b627f09dffebeaa0788
Detected by Emsisoft as: Trojan.Generic.2714998 (B)

SHA1: 5ef2096d062dcc99d14ae517e1739f3c2dce2452
Detected by Emsisoft as: Dropped:Backdoor.Generic.226706 (B)

WinSpy Capabilities

This current attack specifically targets employees of banks and financial institutions, to place a copy of WinSpy on their work computer. Once installed, WinSpy can allow the attacker to perform a number of malicious actions, including: screen capturing, keylogging, webcam and microphone monitoring, email exfiltration, and even deactivation of antivirus software. Notably, attackers may also use WinSpy’s server as an intermediary Command and Control to hide their identity.

Those employed in the financial sector have been targeted for obvious reasons: their computers contain the financial information of multiple customers. The RAT-Trojan install combo is by no means a new approach to malware, though, and individual users – regardless of occupation – should beware.

For thorough RAT prevention Emsisoft recommends:

GimmeRat for Android Monitoring

Most interestingly, FireEye’s research into this latest deployment of WinSpy has also revealed components that enable Android monitoring capabilities, such as screen capturing, GPS tracking, and SMS message monitoring. FireEye has named the components that enable these capabilities GimmeRat, as many of the CnC commands these components utilize are SMS texts, like “gmyl,” which stands for Give Me Your Location.

GimmeRat comes in 3 varieties, one of which depends on a physical install and allows monitoring/control via remote computer. The other 2 varieties can be installed remotely and allow for monitoring/control via Android device. All 3 varieties can be used for malicious purposes, and all 3 highlight the growing trend towards mobile malware. Like many malware authors, those behind GimmeRat have clearly recognized that more people are using mobile devices than use computers. As a result, efforts to “build a better mobile RAT trap” have a higher chance of paying off.

For more on GimmeRat and the latest malicious deployment of WinSpy modules, look no further than FireEye’s blog.

In the meantime, Have a Great (RAT-Free) Day!