_rats - RunkIntel

# RATs - Remote Access Trojans > Trojans de acesso remoto que fornecem controle total sobre sistemas comprometidos. Sao a espinha dorsal das operações de espionagem cibernetica, sendo usados por grupos APT de todos os paises para manutenção de acesso persistente e coleta de inteligência. > [!warning] Presenca Documentada no Brasil > RATs como njRAT, AsyncRAT, Remcos e QuasarRAT foram amplamente documentados em campanhas direcionadas a empresas e governo brasileiro. A facilidade de acesso (muitos sao open-source) os torna populares em campanhas de crime financeiro e espionagem. ## Como Funcionam RATs estabelecem um canal de comunicação bidirecional entre o sistema comprometido (cliente) e a infraestrutura do atacante (servidor C2), permitindo controle total em tempo real. ```mermaid graph TB A["🎣 Entrega Phishing / USB / Exploit"] --> B["🔧 Instalacao Dropper / Injector"] B --> C["🔐 Persistencia Registry / Startup / Servico"] C --> D["📡 Beacon C2 HTTP / DNS / Telegram"] D --> E["🎛️ Controle Remoto Shell / Keylog / Webcam / Files"] E --> F["📤 Exfiltracao Credenciais / Documentos / Screenshots"] D --> G["🔄 Lateral Movement Espalha para outros hosts"] style A fill:#e74c3c,color:#fff style B fill:#e67e22,color:#fff style C fill:#f39c12,color:#fff style D fill:#2980b9,color:#fff style E fill:#8e44ad,color:#fff style F fill:#c0392b,color:#fff style G fill:#d35400,color:#fff ``` **Capacidades tipicas:** - **Keylogging** - Captura de tudo que e digitado - **Screenshot e gravacao de tela** - Monitoramento visual em tempo real - **Acesso ao sistema de arquivos** - Upload/download de arquivos arbitrarios - **Shell reverso** - Execução de comandos no sistema comprometido - **Plugin system** - Capacidades expansiveis via módulos adicionais ## Familias Catalogadas %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", used-by AS "Usado Por" FROM "cti/software/malware/rats" WHERE type = "malware" SORT title ASC ``` %%   | Nome | Status | Usado Por | | ------------------------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [[s0066-3para-rat\|3PARA RAT]] | active | <ul><li>[[g0024-putter-panda\|Putter Panda]]</li></ul> | | [[s0065-4h-rat\|4H RAT]] | active | <ul><li>[[g0024-putter-panda\|Putter Panda]]</li></ul> | | [[s1028-action-rat\|Action RAT]] | active | <ul><li>[[g1008-sidecopy\|SideCopy]]</li></ul> | | [[s0584-applejeus\|AppleJeus]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0234-bandook\|Bandook]] | active | <ul><li>[[g0070-dark-caracal\|Dark Caracal]]</li></ul> | | [[s0239-bankshot\|Bankshot]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0030-carbanak\|Carbanak]] | active | <ul><li>[[g0046-fin7\|FIN7]]</li><li>[[g0008-carbanak\|Carbanak]]</li></ul> | | [[s1105-coathanger\|COATHANGER]] | active | <ul><li>\-</li></ul> | | [[s0591-cotx-rat\|COTX RAT]] | active | <ul><li>[[g0129-mustang-panda\|Mustang Panda]]</li></ul> | | [[crimsonrat\|Crimson RAT]] | active | <ul><li>[[g0134-transparent-tribe\|Transparent Tribe]]</li></ul> | | [[cti/software/malware/rats/darkcomet.md\|DarkComet RAT]] | inactive | <ul><li>[[darkcaracal\|Dark Caracal]]</li></ul> | | [[darkmoon\|DarkMoon]] | active | <ul><li>[[darkcaracal\|Dark Caracal]]</li></ul> | | [[darkwatchman\|DarkWatchman]] | active | <ul><li>\-</li></ul> | | [[s1038-dcrat\|DCRat]] | active | <ul><li>[[hive0131]]</li><li>[[g0034-sandworm\|Sandworm APT]]</li><li>[[blindeagle\|BlindEagle]]</li><li>[[tag-144]]</li></ul> | | [[s0694-dratzarus\|DRATzarus]] | active | <ul><li>\-</li></ul> | | [[s0384-dridex\|Dridex]] | active | <ul><li>[[ta505\|TA505]]</li><li>[[g0119-indrik-spider\|Indrik Spider]]</li></ul> | | [[s0181-fallchill\|FALLCHILL]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[flawedammyy\|FlawedAmmyy]] | active | <ul><li>[[g0037-fin6\|FIN6]]</li><li>[[ta505\|TA505]]</li></ul> | | [[s0383-flawedgrace\|FlawedGrace]] | active | <ul><li>[[ta505\|TA505]]</li></ul> | | [[flowcloud\|FlowCloud]] | active | <ul><li>[[ta410\|TA410]]</li></ul> | | [[cti/software/malware/rats/gh0st-rat.md\|Gh0st RAT]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li><li>[[g0094-kimsuky\|Kimsuky]]</li><li>[[g0065-leviathan\|Leviathan]]</li><li>[[g0027-threat-group-3390\|Threat Group-3390]]</li><li>[[g0001-axiom\|Axiom]]</li></ul> | | [[s0237-gravityrat\|GravityRAT]] | active | <ul><li>\-</li></ul> | | [[s0312-hardrain\|HARDRAIN]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0087-hi-zor\|Hi-Zor]] | active | <ul><li>\-</li></ul> | | [[httprat]] | active | <ul><li>[[g0069-mango-sandstorm\|MuddyWater]]</li></ul> | | [[hupigon\|Hupigon]] | active | <ul><li>[[g0026-apt18\|APT18]]</li></ul> | | [[cti/software/malware/rats/s0434-imminent-monitor.md\|Imminent Monitor]] | inactive | <ul><li>\-</li></ul> | | [[s0832-indigo-zebra-rat\|Indigo Zebra RAT]] | active | <ul><li>\-</li></ul> | | [[s0259-innaputrat\|InnaputRAT]] | active | <ul><li>\-</li></ul> | | [[s1132-ipsec-helper\|IPsec Helper]] | active | <ul><li>[[g1030-agrius\|Agrius]]</li></ul> | | [[jbifrost\|jBiFrost]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li></ul> | | [[jlorat\|JloRAT]] | active | <ul><li>[[talonite\|Talonite]]</li></ul> | | [[jsoutprox\|JSOutProx]] | active | <ul><li>[[solar-spider\|Solar Spider]]</li></ul> | | [[karagany\|Karagany]] | active | <ul><li>[[g0035-dragonfly\|Dragonfly]]</li></ul> | | [[keyboy\|KeyBoy]] | active | <ul><li>[[g0081-tropic-trooper\|Tropic Trooper]]</li></ul> | | [[kindlerat\|KindleRAT]] | inactive | <ul><li>[[g0022-apt3\|APT3]]</li></ul> | | [[kirat\|KiRat]] | inactive | <ul><li>[[g0094-kimsuky\|Kimsuky]]</li></ul> | | [[lilith-rat\|Lilith RAT]] | active | <ul><li>\-</li></ul> | | [[cti/software/malware/rats/limerat.md\|LimeRAT]] | active | <ul><li>[[aggah-group\|Aggah Group]]</li></ul> | | [[s0582-lookback\|LookBack]] | active | <ul><li>\-</li></ul> | | [[s0459-mechaflounder\|MechaFlounder]] | active | <ul><li>[[g0087-apt39\|APT39]]</li></ul> | | [[nanocore\|NanoCore RAT]] | active | <ul><li>[[aggah-group\|Aggah Group]]</li><li>[[cti/groups/ta558.md\|TA558]]</li></ul> | | [[netwire\|NetWire RAT]] | active | <ul><li>[[g0064-apt33\|APT33]]</li><li>[[g0078-gorgon-group\|Gorgon Group]]</li><li>[[aggah-group\|Aggah Group]]</li></ul> | | [[njrat\|njRAT]] | active | <ul><li>[[g0099-blind-eagle-apt-c-36\|Blind Eagle]]</li><li>[[g0140-lazyscripter\|LazyScripter]]</li></ul> | | [[orcus\|Orcus RAT]] | active | <ul><li>[[g0078-gorgon-group\|Gorgon Group]]</li><li>[[aggah-group\|Aggah Group]]</li></ul> | | [[s1031-pingpull\|PingPull]] | active | <ul><li>[[g0093-gallium\|GALLIUM]]</li></ul> | | [[s0124-pisloader\|Pisloader]] | inactive | <ul><li>[[g0026-apt18\|APT18]]</li></ul> | | [[korplug\|PlugX]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li><li>[[g0129-mustang-panda\|Mustang Panda]]</li><li>[[g0022-apt3\|APT3]]</li></ul> | | [[s0428-poetrat\|PoetRAT]] | active | <ul><li>\-</li></ul> | | [[poisonivy\|Poison Ivy RAT]] | inactive | <ul><li>[[g0022-apt3\|APT3]]</li><li>[[g0026-apt18\|APT18]]</li><li>[[apt9\|APT9]]</li><li>[[g0045-apt10\|menuPass]]</li></ul> | | [[s0262-quasarrat\|QuasarRAT]] | active | <ul><li>[[g0040-patchwork\|Patchwork]]</li><li>[[g0140-lazyscripter\|LazyScripter]]</li><li>[[g0078-gorgon-group\|Gorgon Group]]</li><li>[[g0094-kimsuky\|Kimsuky]]</li><li>[[g0045-apt10\|menuPass]]</li><li>[[g0135-backdoordiplomacy\|BackdoorDiplomacy]]</li><li>[[g0099-blind-eagle-apt-c-36\|BlindEagle]]</li></ul> | | [[ratankba\|RATANKBA]] | active | <ul><li>[[g0032-lazarus-group]]</li></ul> | | [[s0332-remcos\|Remcos]] | active | <ul><li>[[g0140-lazyscripter\|LazyScripter]]</li><li>[[g0047-gamaredon\|Gamaredon Group]]</li><li>[[g0078-gorgon-group\|Gorgon Group]]</li><li>[[g0099-blind-eagle-apt-c-36\|Blind Eagle]]</li></ul> | | [[s0379-revenge-rat\|Revenge RAT]] | active | <ul><li>[[g1018-ta2541\|TA2541]]</li><li>[[g0089-the-white-company\|The White Company]]</li><li>[[g0078-gorgon-group\|Gorgon Group]]</li><li>[[cti/groups/ta558.md\|TA558]]</li></ul> | | [[s0011-taidoor\|Taidoor]] | active | <ul><li>\-</li></ul> | | [[s0436-tscookie\|TSCookie]] | active | <ul><li>[[g0098-blacktech\|BlackTech]]</li></ul> | | [[s0333-uboatrat\|UBoatRAT]] | active | <ul><li>\-</li></ul> | | [[venomrat\|VenomRAT]] | inactive | <ul><li>[[cti/groups/ta558.md\|TA558]]</li><li>[[g1018-ta2541\|TA2541]]</li></ul> | | [[warzonerat\|WarzoneRAT]] | active | <ul><li>[[cti/groups/ta558.md\|TA558]]</li><li>[[g0064-apt33\|APT33]]</li></ul> | | [[cti/software/malware/rats/winos-40.md\|Winos 4.0]] | active | <ul><li>[[silver-fox]]</li></ul> | | [[cti/software/malware/rats/xworm.md\|XWorm RAT]] | active | <ul><li>[[cti/groups/ta558.md\|TA558]]</li><li>[[g0094-kimsuky\|Kimsuky]]</li><li>[[nullbulge\|NullBulge]]</li></ul> | | [[s0350-zwshell\|zwShell]] | active | <ul><li>\-</li></ul> |  > [!info] Estatisticas > **27 familias** catalogadas - **26 ativas** - Amplamente usados em espionagem APT e crime cibernetico - Varios disponiveis como open-source ou crimeware barato ## Defesas e Mitigacoes - [[m1031-network-intrusion-prevention|M1031 - Network Intrusion Prevention]] - Detecção de beacons C2 - [[m1026-privileged-account-management|M1026 - Privileged Account Management]] - Limitar capacidade de movimentação lateral - [[m1049-antivirus-antimalware|M1049 - Antivirus/Antimalware]] - EDR comportamental para detecção de RATs - [[m1038-execution-prevention|M1038 - Execution Prevention]] - Controle de aplicativos (allowlisting) - Monitorar conexoes de saida em portas nao padrao ## Relacionados [[_malware]] - [[_groups]] - [[t1219-remote-access-software|T1219 - Remote Access Software]] - [[t1071-001-web-protocols|T1071.001 - Web Protocols]] - [[t1056-001-keylogging|T1056.001 - Keylogging]]