What is FF-RAT?

FF-RAT is a proxy-aware RAT that has been in use for more than 7 years. FF-RAT provides attackers complete control of infected systems. The malware uses many different methods to avoid detection and maintain persistence. [1]

Aliases

No known aliases.

Associated Individuals

Not explicitly known but C2 infrastructure has been located in Hong Kong.

Notable Attacks

• (April and June 2015) United States Office of Personnel Management (OPM)

Tactics

FF-rat is a backdoor dropper. The RAT raises exceptions to make dynamic code analysis difficult. FF-rat contains a modified entry point to allow it to be injected into running processes. It can gather information about the OS and modify memory of running processes. The malware searches for common anti-virus programs to avoid or end.

Cylance notes that ff-rat behaves "like a debugger, which can stop processes and change the way it operates." The dropper places a copy of the RAT (DLL) to the System32 directory, creates a service, and deletes itself.

The malware used three C2 sites located in Hong Kong, though no communication is initiated unless attackers wish to modify the behavior of the malware or deploy new code. [2]

• rp.gamepoer7(dot)com
• dns1-1.verifysign(dot)org
• login.gamepoer7(dot)com

Targets

• United States Office of Personnel Management (OPM)
• Government
• Aerospace
• Gaming
• Information Technology
• Telecommunications

References

[1] - https://threatvector.cylance.com/en_us/home/cylance-vs-ff-rat-malware.html

[2] - https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html

[3] - https://www.alienvault.com/blogs/security-essentials/ff-rat-uses-stealth-tactics-to-evade-endpoint-detection

[4] - https://www.recordedfuture.com/redalpha-cyber-campaigns/