Moker RAT Moves Out Wildly Across the Internet

Infosecurity-magazine.com published news on 8th October, 2015, quoting security experts of Israeli cyber-security start-up enSilo as saying, “We have found a fresh Remote Access Trojan (RAT) in the wild dubbed Morker which is capable to take complete control of the victim’s computer”.

According to enSilo, Moker is unique while bypassing and its ability to disable security measures. This includes everything from security-dedicated measures like antivirus, sandboxing and virtual machines to built-in security enhancements of Window like User Access Control (UAC).

enSilo analysed and said that Moker targets Windows machines and can take control of the victim’s machine. It does this by creating a fresh user account and opening an RDP canal to gain distant control of the victim’s device, but it can also operate without a command and control (C&C) server and can receive its commands locally through a hidden control panel.

This means that a threat actor can also login through something like a VPN using legitimate credentials of user, and operate the #malware on the infected device and could be considered a “local access Trojan” or LAT.

Threatpost.com published news on 7th October, 2015, quoting Yotam Gottesman, a Senior Security Researcher of enSilo, as saying that (Moker’s) detection evasion tactics include encryption of its own self along with a two-step installation.

RAT could become a real trouble-maker for users if it is implanted on a system. A cybercriminal could somewhat gain complete control of the system to take screenshots, smell keystrokes, record online traffic besides exfiltrating files. They could also force the malware to open fresh user accounts, amend security settings and infuse malicious code during runtime on the system.

It is exactly not clear that who is behind the malware – enSilo highlights that the RAT communicated with a Montenegro-based server, a tiny Balkan nation bordering Serbia and Kosovo, but admits that this was perhaps carried out to throw-off law enforcement agencies and researchers.

Moker has not been spotted in VirusTotal and to guard against it, the firm suggested that organisations “block in real-time all maligned outbound communications, foil real-time maligned tampering of files and follow up on real maligned communicating/tampering attempts in trying to execute attack forensics”.

This article first appeared on SPAMfighter with the original article found here.