Evaluation of a Brute Forcing Tool that Extracts the RAT from a Malicious Document File

Abstract

APT(Advanced Persistent Threat) attacks that cause unauthorized transfer of sensitive information from the targeted organization are serious threats. The attackers in APT attacks use RAT(Remote Access Trojan or Remote Administration Tool)s to take the control of the victim's computer. The attackers in APT attacks occasionally use malicious document files to camouflage themselves. If a RAT is embedded into a malicious document file, it is more difficult to detect and analyze the function. Analyzing malicious document files attached to spear phishing e-mails requires extracting the RAT. However, if we do not know the condition where the exploit code runs normally, it is difficult to extract the RAT by dynamic analysis. Therefore, we developed a brute forcing tool which decodes obfuscation and extracts the RAT from a malicious document file. This tool was developed based on the malicious document files which were used between 2009 and 2012 in APT attacks, and indicated how to embed a RAT in a malicious document file. However, whether our method can extract or detect recent RATs in APT attacks or not is uncertain. In this paper, we investigate recent malicious document files which were used between 2013 and 2015 in APT attacks, and reveal the recent trend of the encoding methods with this tool. Moreover, we compare the success rates with the other detection methods such as antivirus programs with the latest virus definitions. Even if a malicious document file which contains executable files does not perform malicious activities in dynamic analysis, this tool extracts the executable files automatically without executing the malicious document file. In addition, this tool hardly give false positives. We can use this tool to detect unknown malicious document files in dynamic analysis or at mail gateways.