Grabit and scarper. Beware of the RAT

Attacks to steal companies’ proprietary data are limited to massive enterprises aren’t they? Well at least that’s what you might think from reading the newspapers. You would of course be very wrong.

Between February and March this year, it has been disclosed by Kaspersky, that a really nasty piece of Malware which calls itself GRABIT (how cheeky is that?) has been doing the rounds and stealing files from small and mid sized companies in the nanotechnology, education and media sectors. Predominately attacking resources in India, USA and Israel (further proving that the UK are old news!) this piece of malware has some interesting features:

  • There are many different versions of Grabit with varied functionality.
  • It incorporates Remote Access Trojan (RAT) software of many different types including our old favourites DarkComet and HawkEye.
  • It makes absolutely no attempt to hide itself
  • It uses easily detectable communications to static Command and Control (C2) servers:

Obviously, ITC has configured our NetSure360° platform to alert on traffic to and from these addresses and our customer’s systems to block them, however the targets for this attack are predominately small outfits which probably don’t even have a dedicated sysadmin, let alone a security geek or an SIEM platform!

You can read Kaspersky’s very informative brief here:

What is striking about this attack is the fact that it makes no attempt to hide, is easily detectable, uses multiple RAT technologies and has so many variants. Is it, we wonder an initial skirmish before the real smash and grab? Is it some researchers having a play, or is it a concerted effort to gain proprietary information in these specific verticals? Answers on a postcard please.

We think that details of this malware need to be more widely shared, so please spread the word to your pals with small businesses and have them contact us if they need any advice.

ITC’s NetSure360°platform allows smaller organisations to implement affordable, enterprise grade infrastructure security. If you would like to know all about it, please contact us at [email protected] or call 020 7517 3900.