RAT Detection in the Time of Coronavirus: Trends We’re Seeing

Mar. 24, 2020 | by Uri Rivner

As the Coronavirus outbreak spreads globally, users are beginning to change their digital behaviors. BioCatch collects data to protect a large number of online users with behavioral biometrics, and has been observing some interesting trends across many geographies. One emerging trend, not surprisingly, is an increase in the use of Remote Access.

Behavioral biometrics supports RAT detection by analyzing user hand-eye coordination patterns: when you operate a device remotely, your hand-eye coordination is skewed and “edgy.” If you’ve ever been assisted by a helpdesk that took over your PC and you saw the mouse cursor jumping on your screen, responding to the remote support team, you’d know what this means.

Criminals consider RATs - Remote Access Tools - as the perfect cloaking device: it allows them to operate from within the user’s trusted device, gain access from the user’s network and regular location, and avoid detection by anti-malware tools. Fortunately, BioCatch can help financial institutions distinguish between their legitimate customers and criminals at work.

Detecting RATs: Genuine User or Cybercriminal?

Behavioral Biometrics, analyzes human interactions with devices and applications and generates highly interesting insights into digital journeys. It can spot an anomalous behavior that doesn’t match historic patterns. For example, a user normally uses the scroll bar, and now they’re using the mouse wheel to navigate. It can also highlight criminal or suspicious patterns, such as a lack of familiarity with personal data or signs of being socially engineered. Behavioral Biometrics is also very good at identifying threats such as bots or remote access attacks.

If we notice Remote Access in use, and especially if we see it for the first time in an account, it can be one of the three things:

  • The user’s device was infected with RAT malware. On a PC, these would be Trojans such as Trickbot or Dridex; on mobile phones these would typically be rogue applications that find their way onto the device.
  • The user was socially engineered to install Team Viewer, LogMeIn or a similar “remote support” tool to allow taking over the device by some sort of “helpdesk.” There are many such scams and they’re typically quite effective.
  • Or, it can just be a genuine RAT. Which means the user chooses to access their regular device remotely for some reason – for example, when they are working from home but the access to their bank account must be done from the office computer due to security policies.

Current Global Trends

The BioCatch data science team has been tracking the use of remote access since the Covid19 outbreak started, and found some highly interesting trends.

Spain

In the last ten days, Spain has seen a dramatic increase in the number of Coronavirus infections and, unfortunately, casualties. Since March 10th the infection rate reached a sharp exponential curve, as seen in the chart below sourced from Worldometers.info:


image1-4

As a result, emergency measures directing the population to adopt social distancing and avoid going out into any non-essential business have taken effect.

The following chart shows the level of first-time Remote Access in the online banking application of one of the top banks in Spain:

image5

Social distancing has an immediate effect on digital user behaviors. Many people who normally access their online banking account from a secure computer – located, say, at their office – can’t do it anymore. They have to find another way to operate, and it looks like they’re now using Remote Access. A dramatic threefold increase in first-time remote access is observed in the last few days, and since most of it is not accompanied by any criminal-looking behaviors, this looks like a genuine shift in digital user behaviors rather than a massive fraud campaign. Many people in Spain are simply using remote access for the first time.

Canada

The next chart shows a similar trend in Quebec, one of the main territories of Canada. Users of one of the main regional banks have started accessing their account via Remote Access:

image4

The number of first-time remote access cases (where remote access is observed for the first time in the account) spiked on March 12th when Quebec’s prime minister announced that the province would take more stringent measures to control the spread of the pandemic, including a ban on indoor gatherings of more than 250 people. The next day, a large number of precautionary measures began to emerge - including the cancellation of Montreal’s St. Patrick's Day parade, something that has never happened in its 196-year history. The mayor of Montreal announced the closure of public facilities such as libraries, sports facilities and swimming pools. People started practicing advanced social distancing, and this resulted in a heightened level of Remote Access into digital banking applications normally accessed directly.

United Kingdom

One country that took a different path in terms of responding to the crisis is the United Kingdom. Looking at the number of reported Coronavirus infections (source: worldometers.info), it’s as exponential as it gets:

image2-1

The UK government’s response to the global outbreak, however, was extremely measured. Restrictions on travel and public gatherings were few and far between, and the country still does not display the same level of lock-down causing other countries to shift to remote work. Following the government advice, the British folk keep calm, carry on, and are far less troubled with social distancing. 

Consider the following chart, showing the level of remote access in one of the top 5 UK banks:

image3

As the chart shows, things are close to “business as usual.” There is an increase in first-time remote access over the last few weeks, but it’s linear rather than exponential, and certainly not as sharp as in other geographies. It certainly looks nothing like the chart of reported Covid-19 cases.

To summarize – using behavioral biometrics, it’s possible to monitor emerging patterns in both criminal behavior as well as genuine digital user behaviors. And it looks like in the age of Coronavirus, more and more people are moving to remote access.

So – stay safe, stick to the same battle tested measures our ancestors used for centuries during plague and virus outbreaks, and keep banking online securely!

Download our white paper to learn more about the BioCatch approach to remote access tool detection, including RAT malware detection.

Topics: Fraud Stories, Featured