Computer Security You can find Computer Security Systems articles, information about how everything from antivirus to firewalls works here.


2020: Year Of The RAT

Dolyetyus - ait Kullanıcı Resmi (Avatar)
International Team Leader
Üyelik tarihi:
Teşekkür (Etti):
Teşekkür (Aldı):
(0) %
02-10-2020 21:42
Greetings dear TurkishHack Team family, I'll tell you about the "Year of the Rat" today.
Let's examine the important titles.

RAT and Mobile Banking

What Is This?

According to most experts and companies, 2020 is the year of RAT. Rat has become a source of trojans in mobile banking, according to analysts, in recent years. In malware, the term RAT is used as "Remote Access Trojan Horse".

Therefore, it can provide remote control as an attacker connection with this kind of infected device. It also falls under the category of malware for this reason. With this method, remote access can be achieved in different ways using local services such as SSH or RDP (Remote Desktop Protocol) or even software such as TeamViewer, VNC or RAdmin.


But also this type of control is basically not bad and can be used for purposes such as providing support to users.

Sometimes malicious attackers aim to evade certain controls by developing their own code or software.

For the first time in history, such methods were used in mobile banking to exploit or misuse information with malicious software.

However, with the development of security and software detection in banking, this situation has become increasingly difficult for attackers.

Following this, the attackers revealed methods to circumvent the detection mechanisms by tricking the victim's device. However, what important is that the combination of encryption of the victim's device is bypassed with the back-connect proxy, making the attacker appear as the real user.

Solutions such as fingerprinting methods have allowed such techniques to be detected, so the attackers had to innovate again.

In this case, rats offer direct connection from the victim device. By doing this, criminals make it significantly difficult to detect fraudulent transactions without a client-based detection solution.

At the same time, "Retefe" appeared in 2016. With Retefe, the attackers gained full control over the devices by almost abusing the TeamWiewer application. Later, Retefe was used by some malicious attackers against android devices again.

In short, malicious software (such as Rat) has evolved despite detection and control systems that oppose such malicious software.


While other uses offered a set of features that enabled successful extraction of personal information from infected devices, Cerberus still lacked features that could help lower the detection barrier during stolen information and fraud abuse.

Around January 2020, Cerberus inspectors came up with a new method to address this problem. This method has undergone reorganization of the code base and updates of the C2 communication protocol, but most importantly, the rat feature created device screen lock credentials (PIN code or scroll pattern) and the possibility to steal 2fa tokens.

TeamViewer login and launch code:

String runningPackage = this.lowerPkgName;

if (getNodeFromEvent.contains ("")) {

*** AccessibilityNodeInfo kullanıcı adı = AcccesibilityUtils.getNodeFromEvent (event, 
*** AccessibilityNodeInfo password = AcccesibilityUtils.getNodeFromEvent (event, "");
*** AccessibilityNodeInfo send = AcccesibilityUtils.getNodeFromEvent (event, "");
*** if (kullanıcı adı! = null) {
******* this.teamviewerUsername = this.utils.readShPrStr (this, this.strings.connect_teamviewer);
******* if (! this.teamviewerUsername.isEmpty ()) {
*********** this.teamviewerPassord = this.utils.readShPrStr (this, this.strings.password);
*********** this.credsSubitted = yanlış;
*********** this.passwordFilled = yanlış;
*********** this.userFilled = yanlış;
*********** this.permissionStatus = 0;
*********** this.utils.writeShPrStr (this, this.strings.connect_teamviewer, "");
*********** this.utils.writeShPrStr (this, this.strings.password, "");
******* }


*** if (this.permissionStatus == 0) {
******* AccessibilityNodeInfo v7_7 = AcccesibilityUtils.getNodeFromEvent (event, "");
******* if (v7_7! = null && AcccesibilityUtils.getNodeFromEvent (event, "")! = null) {
*********** this.permissionStatus = 1;
*********** AccessibilityNodeInfo tmButton = AcccesibilityUtils.getNodeFromEvent (event, "
*********** if (tmButton! = null) {
*************** this.acc_utils.clickButton (tmButton);
*********** }

*********** AccessibilityNodeInfo klmCheckBox = AcccesibilityUtils.getNodeFromEvent (event, " id / checkBox1");
*********** AccessibilityNodeInfo klmConfirm = AcccesibilityUtils.getNodeFromEvent (event, " id / btn_confirm");
*********** if (klmCheckBox! = null && this.permissionStatus == 1) {
*************** this.acc_utils.clickButton (klmCheckBox);
*************** this.acc_utils.clickButton (klmConfirm);
*************** this.permissionStatus = 2;
*************** Utils utils = this.utils;
*************** utils.launchPkg (bu, "");
*********** }
******* }
*** }

*** if (! this.teamviewerUsername.isEmpty () &&! this.teamviewerPassord.isEmpty ()) {
******* if (kullanıcı adı! = null &&! this.userFilled) {
*********** this.acc_utils.setInput (kullanıcı adı, this.teamviewerUsername);
*********** this.userFilled = true;
******* }

******* if (şifre! = boş &&! this.passwordFilled) {
*********** this.acc_utils.setInput (şifre, this.teamviewerPassord);
*********** this.passwordFilled = true;
******* }

******* if ((this.userFilled) && (this.passwordFilled) &&! this.credsSubended) {
*********** this.permissionStatus = 0;
*********** this.acc_utils.clickButton (gönderme);
*********** this.credsSubended = true;
*********** Dize v0_9 = this.utils.readShPrStr (this, this.strings.hidden);
*********** if (v0_9.equals ("true")) {
*************** this.goBack ();
*********** }
******* }
*** }

The feature that allows the device's screen lock credentials (PIN and lock pattern) were to be stolen is enhanced by a simple overlay that requires the victim to unlock the device.

We can conclude that this screen lock credential theft was built so that players could remotely unlock the device to fake it when the victim was not using it.

It shows once again the creativity of criminals to create the right tools to succeed. The Trojan, abusing its accessibility privileges, can now steal 2FA codes from the Google Passwords application.

While the application is running, the Trojan can retrieve the content of the interface and send it to the C2 server. Once again, we can say that this functionality will be used to bypass authentication services based on OTP codes.


Seeing root authorizations as a "dropper services", Hydra has come a long way from using old attack techniques to purely malware. Although it still has such a capability, as of February 2019, Hydra is no longer used as a dropper, but as a functional and stand-alone banking Trojan.

Screencast capabilities (such as the Anubis Trojan) that allow players to visualize what is happening on the device in real time, as well as a proxy option that connects back, allows actors to impersonate the infected device and use it to fraud. Some other features include remote application installation, remote screen locking, and the possibility to use Google firebase as a command handler.

The following screenshots used against banks operating in Turkey shows some covering:


Although no longer officially supported, Anubis is still a widespread culprit choice when it comes to Android banking malware. This does not come as a surprise, as both client and server source code are freely available to everyone. Some new users fixed the changes, fixed bugs, and gradually improved some aspects of the Trojan to sell or rent on underground forums.

Although some changes were observed in some Anubis campaigns, no significant change was made by these secondary vendors. Most of the changes are either fixing known issues or improving existing features (such as automatically disabling Google Play Protect). In January 2020, a new sales post appeared on some underground forums presenting a modified version of Anubis 2.5 that promises a RAT feature:


My Detection Solution - CSD offers financial institutions real-time detection and representation of the risk status of their online and related devices.
This detection and demonstration capability contains all the information necessary to take action against threats.

Translator: @Dolyetyus
- Teşekkür etti.


« Önceki Konu | Sonraki Konu »