Babylon RAT Remote Access Trojan

Babylon RAT is an open source remote access trojan (RAT) recently observed being distributed as part of a phishing campaign. Babylon RAT can steal data, including passwords from web browsers, download and execute files, trigger denial of service attacks and hide from network security controls.

Threat ID:: CC-3068
Category:: Trojan, DOS
Threat Severity:: Medium
Threat Vector:: Phishing
Published:: 22 May 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Mozilla Firefox

Microsoft Windows - All versions

Mozilla Firefox ESR

Threat details

When executed, Babylon RAT gathers system information and active program details before sending them to the command and control (C2) server. The C2 communications are encrypted and can utilise multiple dynamically-generated domains.

Babylon RAT enables the threat actor to interact with affected devices in real time. A host can be made to act as a SOCKS proxy in order to capture network traffic from multiple other infected hosts. This technique can bypass network security measures and requires only a single exit point from the affected network to be maintained.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:53 pm