Full Report
In October 2018, Vyacheslav Kopeytsev, Security Researcher, Critical Infrastructure Threat Analysis, spoke at MALCON 2018, the 13th IEEE International Conference on Malicious and Unwanted Software, held this year in Massachusetts, USA.
Analysis Summary
# Tool/Technique: Remote Administration Tools (RATs) in ICS Environments
## Overview
This summary covers the misuse of both legitimate Remote Administration Tools (RATs) and malicious Remote Access Trojans within Industrial Control Systems (ICS). While often used by system administrators for legitimate network management and remote support, these tools are frequently exploited by threat actors to gain unauthorized access, maintain persistence, and control industrial processes due to misconfigurations and human error.
## Technical Details
- **Type:** Malware family (Malicious RATs) and Legitimate Tools (Misused)
- **Platform:** Windows (typically used for HMI and Engineering Workstations), and various industrial automation systems.
- **Capabilities:** Remote desktop control, file transfer, shell execution, keyboard/mouse interception, and system monitoring.
- **First Seen:** Continuous usage; specific research presented in October 2018.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1133 - External Remote Services]
- **[TA0003 - Persistence]**
- [T1105 - Ingress Tool Transfer]
- **[TA0005 - Defense Evasion]**
- [T1218 - System Binary Proxy Execution]
- [T1070 - Indicator Removal]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- **[TA0011 - Command and Control]**
- [T1219 - Remote Access Software] (Primary focus of the research)
## Functionality
### Core Capabilities
- **Remote Surveillance:** Real-time monitoring of operator screens (Human-Machine Interfaces).
- **File Management:** Ability to upload malicious payloads or download sensitive configuration files and project logic.
- **System Command Execution:** Full shell access to execute OS-level commands on critical industrial workstations.
### Advanced Features
- **Living off the Land (LotL):** Using legitimate, pre-installed tools (TeamViewer, RDP, VNC) to bypass signature-based security products.
- **Bypassing Perimeter Security:** Utilizing legitimate administrative ports to tunnel traffic out of the industrial demilitarized zone (IDMZ).
## Indicators of Compromise
*Note: Specific hashes were not provided in the summary article; the following are behavioral indicators associated with the presented research.*
- **File Names:** Common legitimate installers (e.g., `TeamViewer_Setup.exe`, `vncviewer.exe`) appearing in unauthorized directories.
- **Network Indicators:**
- Outbound traffic to known remote desktop service providers (e.g., `* [.]teamviewer[.]com`, `* [.]logmein[.]com`).
- Connections to non-standard ports associated with VNC (5900-5901) or RDP (3389) from the internet.
- **Behavioral Indicators:**
- Creation of new administrative accounts via remote shell.
- Unexpected termination of local operator sessions.
- Large data transfers during non-business hours from Engineering Workstations.
## Associated Threat Actors
- **General ICS Threat Actors:** Various APT groups targeting critical infrastructure.
- **Opportunistic Attackers:** Cybercriminals exploiting weak passwords on internet-facing remote access points.
## Detection Methods
- **Behavioral Detection:** Monitoring for atypical login times and unauthorized source IP addresses attempting to access industrial management consoles.
- **Network Analysis:** Identifying "heartbeat" traffic to remote administration cloud services from within the ICS network.
- **Audit Logs:** Reviewing OS and application logs for the installation of unauthorized remote access software.
## Mitigation Strategies
- **Network Segmentation:** Ensure a strict gap or heavily firewalled IDMZ between the ICS network and the corporate/internet environment.
- **Multi-Factor Authentication (MFA):** Mandatory MFA for all remote access sessions entering the industrial environment.
- **Least Privilege:** Disable all unnecessary remote access services on HMIs and Engineering Workstations.
- **White-listing:** Implement application control to prevent the execution of unauthorized RAT installers.
## Related Tools/Techniques
- **VNC (Virtual Network Computing):** Often found misconfigured without passwords in ICS environments.
- **TeamViewer / AnyDesk:** Frequently used as "shadow IT" by third-party contractors for remote maintenance.
- **RDP (Remote Desktop Protocol):** A primary target for brute-force attacks on industrial gateways.