RDAT Backdoor Trojan

Recently, a telecommunications company from the Middle East reported a cyberattack that penetrated its defenses and caused significant damage. The name of the threat is RDAT Backdoor Trojan. It would appear that the variant of the RDAT Backdoor Trojan used in this latest attack is new and improved compared to older copies of the threat. According to malware analysts, the RDAT Backdoor Trojan has been updated by the infamous OilRig hacking group. These hackers are also known as Twisted Kitten, and APT34 (Advanced Persistent Threat). The OilRig hacking group is believed to originate from Iran. Most of APT34's hacking campaigns use social engineering tricks to deliver the threatening payload to the targeted user. However, it wasn't disclosed if the Iranian hackers have used the same trick to propagate the RDAT Backdoor Trojan.

Most malware depends on an HTTP connection to receive commands from the attackers' C&C (Command & Control) servers. However, the RDAT Backdoor Trojan utilizes a much more advanced technique – steganography. By using steganography, the OilRig hacking group can use images to hide code. The RDAT Backdoor Trojan uses a '. BMP' image, which is attached to an email that serves as a communication method. The RDAT Backdoor Trojan reads the image delivered via email to receive the attackers' commands. The RDAT Backdoor Trojan also is capable of exfiltrating data from the compromised host using steganography.

It would appear that the OilRig hacking group is also using the Mimikatz tool alongside the RDAT Backdoor Trojan in their latest campaigns. This allows the attackers to collect login credentials from their victims. Furthermore, the RDAT Backdoor Trojan is capable of:

• Taking screenshots of the user's desktop and active windows.
• Uploading files.
• Downloading files.
• Executing files.
• Restarting itself.
• Self-destructing.

The data that the RDAT Backdoor Trojan collects is stored in a hidden folder. As we mentioned, the RDAT Backdoor Trojan uses steganography to exfiltrate the data from the hidden folder to the attackers' C&C server.

The OilRig APT is believed to be backed by Iran's government – it is likely carrying out attacks on behalf of high-ranking politicians. This explains why the OilRig hacking group goes after high-value targets in the Middle East.