cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Threat report reveals 3 new RAT variants running rampant

Avast Threat Labs has found that businesses and consumers have been experiencing an increase in ransomware and remote access Trojan (RAT) attacks in its Q3'21 Threat Report.

user icon Nastasha Tupas
Thu, 18 Nov 2021
Threat report reveals 3 new RAT variants running rampant
expand image

Avast Threat Labs saw the risk ratio of ransomware attacks go up by 5 per cent in Q3 versus Q2, and even up by 22 per cent versus Q1 2021, after blocking the massive supply chain attack on IT management software provider Kaseya and its customers, with Sodinokibi/REvil ransomware on more than 2.4k end points.

Following political involvement, the ransomware operators released the decryption key and Sodinokibi’s infrastructure went down, with no new variants seen in the wild until 9 September, when Avast detected and blocked a new variant.

The researchers found that RATs which spread further in Q3 2021 in comparison to previous quarters, threatened businesses and consumers. RATs can be used for industry espionage, credentials theft, stalking and even distributed denial of service (DDoS) attacks with the new variants demonstrating mechanisms used by exploit kits and by the mobile banking Trojan FluBot.


Three new RAT variants have been identified by Avast Threat Labs, including FatalRAT with anti-VM capabilities, VBA RAT, which exploits the Internet Explorer vulnerability CVE-2021-26411 and a new version of Reverse RAT with build number 2.0 which added web camera photo taking, file stealing and anti-AV capabilities.

RATs can be a fundamental threat for businesses, as they can be used for industry espionage, according to Jakub Kroustek, Avast malware research director.

“However, RATs can also be used against consumers, for example, to steal their credentials, to add their computers to a botnet to drive DDoS attacks, and unfortunately, for cyber stalking, which can do massive harm to an individual’s privacy and wellbeing,” Kroustek said.

In Q3, Avast threat researchers also observed novel scenarios in spreading this malware, which included fake claims of leaked personal photos, or posing as voicemail recorders. The most extreme of these variants would even lure the victim to a fake page that would claim the victim has already been infected by FluBot when they probably weren’t yet and trick them into installing a “cure” for the “infection”. This “cure” would in fact be the FluBot malware itself.

The Avast Threat Labs also monitored new tactics on the mobile front, with FluBot, an Android SMS banking threat, changing its social engineering approach.

One of the most significant increases in RATs activity in the quarter was the increase in rootkit activity at the end of Q3, after Avast threat researchers recorded a significant increase in rootkit activity. A rootkit is a malicious software designed to give unauthorised access to cyber criminals, with the highest system privileges, and commonly provide services to other malware in the user mode.

Avast Threat Labs has also observed the return of exploit kits, with notable new features that include capability to target Google Chrome vulnerabilities.

PurpleFox has been identified as the most active exploit kit during Q3 after Avast protected over 6,000 users per day on average. Rig and Magnitude were also prevalent throughout the whole quarter and the Underminer exploit kit woke up after a long period of inactivity, sporadically serving HiddenBee and Amadey.

Some exploit kits, especially PurpleFox and Magnitude, are under heavy development, regularly receiving new features and exploitation capabilities.

FluBot continued to expand from where initially it was targeting Europe in Q2 – Spain, Italy, Germany, to later spread throughout the rest of Europe and other countries like Australia and New Zealand.

[Related: Emotet: World’s most dangerous malware returns]

Nastasha Tupas

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.