RATicate Malware Campaign

A new advanced persistent threat group, known as RATicate, has been delivering a number of well-known remote access trojans and information stealers in several campaigns of the same name. First observed in November 2019, the group appear to primarily target industrial, telecommunications, and manufacturing organisations in the UK, Europe, East Asia, and the Middle East.

Threat ID:: CC-3466
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:: Phishing
Published:: 21 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

RATicate uses two separate infection chains to deliver payloads. The first uses Agent Tesla, BetaBot, BlackRAT, Bladabindi, Formbook, Netwire, Lokibot, and Remcos. Certain components of the command and control infrastructure are used across multiple campaigns. It is unclear whether RATicate are operating these campaigns in order to use the access and data they collect themselves, or if they are acting as a malware-as-a-service provider for other attackers.

Remediation steps

Type	Step
	To prevent and detect an infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

RATicate IoC List 21/05/2020

Last edited: 10 January 2022 2:54 pm