VanToMRAT

VanToMRAT is a threatening tool used to manage infected machines remotely. The VanToMRAT software is a Remote Access Tool (RAT) that is promoted to potential buyers at Rekings.com, which is a market for Trojans, keyloggers and RATs on the Internet. Customers at Rekings.com can download VanToMRAT for free, and if they like what it offers, they can receive updates and improvements by purchasing a license. The author of VanToMRAT aimed the software at botnet operators that need a reliable central hub and hackers that could use remote PCs as proxies for their operations. VanToMRAT is said to be stable and stealthy—two qualities that are imperative to threat actors looking to cause trouble on the Internet without being detected.

Security experts note that VanToMRAT packs more than simple file extraction, connection rerouting, and information gathering capabilities. VanToMRAT is an advanced remote access Trojan that can be deployed to users via spam emails loaded with a macro-enabled document and JavaScript-enabled ZIP archives. It is possible to install VanToMRAT to targeted computers by using Trojan Droppers like Poshkod and Fedripto as well. Compromised computers can be managed by a server hub installed on the attacker's PC.

The VanToMRAT server hosts are programmed to send metrics like IP address, Windows version, the country of origin, a screenshot of the desktop and a list of running programs to the server hub, as long as the PC is running. The VanToMRAT program might be listed in the Windows task manager as a service and execute control code without the user's notice. Analysts note that VanToMRAT can access video and audio feed from the camera and microphone connected to the infected machine and send the multimedia feed to a third- party. The manager of VanToMRAT can access the file system of infected computers and perform file operations like editing existing data, delete and move objects. More advanced features of VanToMRAT include:

• Copy content from the clipboard
• Detect geographical location of the device by using Google Maps
• Download and run executable
• Edit keys in the Registry
• Enter commands via CMD
• Log keystrokes
• Perform DDoS attacks
• Run scripts
• Collect passwords from the browser

The maker of VanToMRAT included a specialized toolset titled 'Fun' that allows the operator to do annoying tricks with the infected PC. A remote manager can use VanToMRAT to:

• Logoff the user forcibly
• Open/Close CD-ROM
• Restart and shutdown the PC remotely
• Reverse the mouse movement
• Show/hide the clock
• Show/hide the taskbar icons and the taskbar itself
• Turn on/off the monitor

Experts alert that VanToMRAT can be used to execute DDoS attacks on servers and perform illicit actions. Removing the VanToMRAT software should be a priority for infected users. VanToMRAT might use a rootkit to hide its files and users are not likely to recognize suspicious program without proper education. You should consider using a credible anti-malware suite to terminate connections used by VanToMRAT and the threat running on the machine.

Table of Contents

1

SpyHunter Detects & Remove VanToMRAT