[Studying] Inside Different Generations of RATs
Last Update:
Word Count:
Read Time:
Background
Recently, I have been developing different types of remote access tools (RATs).
My interest in RAT development originates from personal curiosity and long-term fascination with how remote control malware works internally.
Years ago, when I was a begineer in cybersecurity——and by “begineer,” I truly mean knowing almost nothing beyond simple denial-of-service attempts using the ping command in cmd.exe——I used to download numerous tools from various websites. At that time, I barely understood operational security or the risks involved. However, experimenting with existing tools was, in my case, the only accessible way to explore cybersecurity as a middle school student.
Over the years, my perspective has changed. Instead of merely using tools, I become more interested in understanding how they are designed and implemented. Today, I have published several remote access tools for educational and research purposes, such as DuplexSpy and Eden-RAT. Other projects are still under development or being rewritten.
Somebody may ask: why develop multiple RATs? What are the differences? Looking back at 2016, when The Shadow Brokers leaked numerous tools allegedly associated with the National Security Agency 1, one important lesson become clear: advanced threat groups often develop multiple implants and remote access tools tailored for different operational stages and objectives.
During my own development process, I began recalling the older RATs I had downloaded but never truly understood. Recently, as I have been studying reverse engineering and malware analysis more systemically, I realized this presents an excellent opportunity to revist those historical tools——not to use them, but to analyze and understand their architecture.
Cybersecurity has gradually become more complex. The number of domains, tools, and technologies continues to grow, while learning resources can feel fragmented. The gap between begineers and experienced professional seems wider than ever. This is one of the reasons I started publishing technical articles on my blog. While blogging may feel somewhat old-school, I prefer structed and long-form documentation of knowledge.
In this series, I will analyze different generations of remote access tools——from early legacy trojans to more modern modular RATs——focusing on architecture, communication protocols, and design evolution from a reverse engineering perspective.
Articles
The table below lists all articles in this series analyzing various remote access tools.
It will be updated continuously as new research is published.
| RAT | Article |
|---|---|
| Netbus | Analyzing NetBus |
| Back Orifice | Analyzing BackOrifice |
| Sub7 | Analyzing Sub7 |
| ProRat | Analyzing ProRat |
| Beast | Analyzing BeastDoor |
| Poison Ivy | Analyzing Poison Ivy |
References
1. https://en.wikipedia.org/wiki/The_Shadow_Brokers ↩
THANSK FOR READING
