Police Target Remote Access Trojan Use

15 Arrested In RAT-Related Raids Across Europe
Police Target Remote Access Trojan Use

European police have announced 15 arrests designed to stem the use of remote-access Trojans. Such malware has been tied to hundreds of thousands of infections worldwide.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

The anti-RAT operation was led by French police, coordinated by Europol's European Cybercrime Center, and resulted in arrests across Estonia, France, Italy, Latvia, Norway, Romania and the United Kingdom.

In the United Kingdom, the National Crime agency - known as the "British FBI" - has announced the arrest of four people in Leeds, including two 33-year-old men, one 30-year-old woman, and a 20-year-old man, none of whom have been named. Police say they also executed a search warrant on a 19-year-old man from Liverpool, who's currently being questioned by police.

The arrests follow an FBI-led operation in May that resulted in the arrests of 100 alleged Blackshades RAT users across more than a dozen countries. At the time, authorities said the malware had been sold or distributed to thousands of people in more than 100 countries, and used to infect more than 500,000 PCs worldwide.

The latest crackdown highlights that the threat to consumers and businesses from RAT tool users is real. "Criminals who successfully deploy RATs can gain complete control over target computers, wherever they are in the world," an NCA statement warns. Police officials say attackers often tap such tools to spy on women or girls via webcams, access consumers' banking and other personal details, commit extortion, as well as turn machines into launch pads for distributed-denial-of-service attacks.

The arrests are meant "to send a strong signal to the criminals using this toxic RAT malware and, at the same time, engage with the predominantly younger individuals involved, to discourage them from pursuing this criminal path," says Troels Oerting, head of Europol's European Cybercrime Center. "Crimes committed online are sometimes perceived to be 'less serious' by these young offenders as they cannot physically see the victim or the effects of their crimes. Of course, this is simply not the case, and their criminal activities will not be tolerated in cyberspace."

Law enforcement officials say that simply possessing a remote-access tool isn't illegal. In fact, remote-access tools are often used for IT support purposes in corporate environments. But using such tools - never mind purpose-built remote-access Trojans - for illegal purposes is a different story. "Suspected users of RATs are continuing to find that, despite having no physical contact or interaction with their victims, they can still be identified, tracked down and arrested by the NCA and its partners," says Andy Archibald, deputy director of the NCA's National Cyber Crime Unit.

Law enforcement officials say they hope that this week's arrests will be a wake-up call for potential victims. "An important aim of this European action is to inform the general public about the threat posed by this type of malware," Europol says in a statement. "Examples of some well-known RATs are Blackshades, Poison Ivy, and Dark Comet." UK police, meanwhile, have recommended consumers regularly review the government's Get Safe Online website to learn about how to better defend themselves against potential RAT attacks. "Victims are typically infected by being convinced to click on a link purporting to be a picture or video, or disguised as a legitimate file, but is instead an installer for the RAT," the NCA says. "In many cases, those who unwittingly install such Trojans will have no indication that their machine is infected."

While RATs can be used to spy on consumers, they're also regularly deployed against businesses and government agencies. For example, the RAT known as Poison Ivy has been tied to the 2011 breach of EMC's RSA security division, which reportedly resulted in sensitive information about the company's two-factor authentication SecurID system being compromised by attackers.

Europol says further RAT-related investigations are under way, and it expects to make similar arrests next year.

Beyond targeting alleged RAT users, law enforcement agencies have also tried targeting RAT tool developers themselves. In 2012, for example, police arrested the alleged developer of Blackshades. But according to research published by Symantec, that arrest did nothing to disrupt the use of the Blackshades RAT.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network