The Stack Archive

RAT-catching: Smooth cyber-criminals give themselves away during banking transactions

Thu 5 Mar 2015


A security company claims that the actors behind malware derivatives of Remote Administration Tools (RATs) can be identified by hesitations and cursor movement. An article by Dr. Itai Novick of Biocatch outlines a system of behavioural analysis which is claimed to accurately individuate the minor deviations from normal keyboard-and-mouse user behaviour that characterise a RAT actor.

“Simply put,” says Dr. Novick, “a RAT’s keyboard typing or cursor movement will often cause delayed visual feedback which in turn results in delayed response time; the data is simply not as fluent as would be expected from standard human behavior data.”

The graph below indicates three factors registered in two genuine cases of RAT-actor online fraud: movement fluency, typing fluency and clicking fluency.


A separate report by Biocatch details the real-time JavaScript-based detection used to intercept RAT-characteristics in online transactions with banks: RATs have been used by nation states and hacktivists for many years, but only recently have we seen this remote access attack vector migrate to online banking fraud, where the main use is to neutralize all device-related defenses such as device recognition, IP geo- location, and proxy detection. Existing fraud detection solutions that attempt to identify unknown or infected devices are not designed to spot RATs, leaving banks vulnerable to remote access attacks ,”

Israeli company Biocatch, formed in 2011 by a group of neural research scientists, uses a Cognitive Behavioural Analysis technique which challenges the potential RAT, triggering the hesitations and ‘deviant’ input behaviour.

The company’s own commercial solution to the problem claims to only engage with genuine RAT interactions, which can be identified by latency issues over the inevitable proxy server involved in the attack, triggering a screen refresh – a signature of RAT trojan interception.

The anomalies identified by Biocatch are based on datasets of regular and genuine equivalent online banking activity.

RAT malware, the ironic name of which sprung from very business-like roots as helpdesk software, is typically diffused via indiscriminate ‘Drive-By-Download’ techniques, wherein out-of-date software combines with infected web pages to make users vulnerable. Infections can also be targeted or induced via ‘spear-phishing’ mails or ‘waterhole’ locations likely to produce abundant victims.

Among the most famous RAT trojans was Back Orifice, developed by a hacker in the late 1990s with the supposed intention of demonstrating to Microsoft the extent of the security vulnerabilities in its suite of popular Office software.

The extent of power granted to the successful RAT entrant is of the highest level, allowing registry edits, screenshotting, file operations, mouse takeovers and task control, among other privileges.


cybercrime hacking malware news security
Send us a correction about this article Send us a news tip