Full Report
The paper provides an analysis of the prevalence of remote administration tools on OT networks and the threats associated with their use.
Analysis Summary
Based on the analysis of the prevalence and risks of Remote Administration Tools (RATs) within industrial Control Systems (ICS) and Operational Technology (OT) environments, here is the summarized report.
# Tool/Technique: Remote Administration Tools (RATs) in ICS
## Overview
This entry covers the broad category of both legitimate Remote Desktop Software and malicious Remote Access Trojans found on OT networks. While often installed by internal staff for maintenance or by vendors for remote support, these tools are frequently subverted by threat actors to bypass perimeter security, maintain persistence, and execute manual "living off the land" attacks within critical infrastructure.
## Technical Details
- **Type:** Malware family (Malicious RATs) | Tool (Legitimate Admin Software)
- **Platform:** Windows (Primary), Linux, macOS, Android.
- **Capabilities:** Remote screen control, file transfer, shell access, keylogging, and system monitoring.
- **First Seen:** Continuous use; intensified focus on ICS environments noted significantly post-2015 (BlackEnergy/Industroyer era).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1133 - External Remote Services
- T1566 - Phishing
- **TA0003 - Persistence**
- T1133 - External Remote Services
- T1543 - Create or Modify System Process
- **TA0005 - Defense Evasion**
- T1218 - System Binary Proxy Execution
- T1070 - Indicator Removal on Host
- **TA0011 - Command and Control**
- T1219 - Remote Access Software
- T1571 - Non-Standard Port
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1056 - Input Capture
## Functionality
### Core Capabilities
- **Desktop Mirroring:** Real-time viewing and interaction with the HMI (Human Machine Interface) or engineering workstation.
- **File Management:** Uploading scripts/malware and downloading sensitive configuration files or database exports.
- **Terminal Access:** Direct command-line interaction with the host operating system.
### Advanced Features
- **Bypass of Firewalls:** Many modern RATs (e.g., TeamViewer, AnyDesk) use outbound HTTPS/443 connections to relay servers, bypassing traditional inbound firewall rules.
- **Permission Elevation:** Integration with local Windows services to run with SYSTEM privileges.
- **Unattended Access:** Configuring the tool to start with the OS without requiring a user to accept the connection.
## Indicators of Compromise
### File Names (Legitimate but Risky)
- `TeamViewer.exe`
- `AnyDesk.exe`
- `WinVNC.exe`
- `Radmin.exe`
- `Ammyy Admin` (often bundled with malware)
### Network Indicators
- Connections to `*.teamviewer[.]com`
- Connections to `*.anydesk[.]com`
- Connectivity to known relay IP addresses for LogMeIn or GoToMyPC.
- Traffic on Port 5900 (VNC), 3389 (RDP), or 5631 (pcAnywhere).
### Behavioral Indicators
- Sudden spikes in outbound encrypted traffic from an Engineering Workstation to an external IP.
- Unusual login times (e.g., 2:00 AM) for administrative accounts.
- Use of "portable" versions of remote software that do not require formal installation.
## Associated Threat Actors
- **Sandworm Team** (BlackEnergy/ICS targeting)
- **Dragonfly / Energetic Bear** (Targeting energy sectors)
- **APT33** (Targeting aviation and energy)
- **Lazarus Group**
## Detection Methods
- **Signature-based detection:** Identifying known hashes of cracked RAT versions or specific malware strains (e.g., Remcos, NjRAT).
- **Behavioral detection:** Monitoring for the installation of new Windows Services or changes to the Startup registry keys.
- **Network Traffic Analysis (NTA):** Identifying unauthorized use of RDP, VNC, or TeamViewer protocols within the ICS DMZ or Control Zone.
## Mitigation Strategies
- **Network Segmentation:** Ensure ICS networks are "air-gapped" or separated by strictly configured industrial firewalls.
- **Multi-Factor Authentication (MFA):** Mandatory MFA for any remote access gateway.
- **Application Whitelisting:** Use tools like AppLocker to prevent the execution of unauthorized remote desktop binaries.
- **"On-Demand" Remote Access:** If remote support is required, it should be enabled only for a specific window of time and disabled immediately after.
## Related Tools/Techniques
- **VNC (Virtual Network Computing):** Often used in ICS due to cross-platform compatibility.
- **RDP (Remote Desktop Protocol):** The most common target for credential stuffing and brute force.
- **Living off the Land (LotL):** Using built-in Windows tools (PowerShell, WMI) to perform remote administration tasks without installing third-party software.