Schrödinger’s RAT: Profiling the Stakeholders in the Remote Access Trojan Ecosystem


Mohammad Rezaeirad, George Mason University; Brown Farinholt, University of California, San Diego; Hitesh Dharmdasani, Informant Networks; Paul Pearce, University of California, Berkeley; Kirill Levchenko, University of California, San Diego; Damon McCoy, New York University


Remote Access Trojans (RATs) are a class of malware that give an attacker direct, interactive access to a victim’s personal computer, allowing the attacker to steal private data stored on the machine, spy on the victim in real-time using the camera and microphone, and interact directly with the victim via a dialog box. RATs have been used for surveillance, information theft, and extortion of victims.

In this work, we report on the attackers and victims for two popular RATs, njRAT and DarkComet. Using the malware repository VirusTotal, we find all instances of these RATs and identify the domain names of the controllers. We then register those domains that have expired and direct them to our measurement infrastructure, allowing us to determine the victims of these campaigns. We investigated several techniques for excluding network scanners and sandbox executions of the malware sample in order to exclude apparent infections that are not real victims of the campaign. Our results show that over 99% of the 828,137 IP addresses that connected to our sinkhole are likely not real victims. We report on the number of victims, how long RAT campaigns remain active, and the geographic relationship between victims and attackers.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217557,
author = {Mohammad Rezaeirad and Brown Farinholt and Hitesh Dharmdasani and Paul Pearce and Kirill Levchenko and Damon McCoy},
title = {{Schr{\"o}dinger{\textquoteright}s} {RAT}: Profiling the Stakeholders in the Remote Access Trojan Ecosystem},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1043--1060},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video 

Presentation Audio