Detecting RitB (RAT-in-the Browser),
Dyre and Dridex
with Behavioral Biometrics
Dyre
Dyre is considered the most devious attack hitting the financial sector. It has a nefarious combination of man-in-the-middle capabilities the likes of which the industry has never seen, and Remote Access (RAT) functionality that lets the Dyre operators sneak into the victim computer and operate it remotely
Dridex
Dridex is a strain of banking malware that leverages macros inMicrosoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
Source: webopedia.com
Neverquest
Neverquest, also known as Vawtrak, banking trojan to target major Canadian financial institutions by launching man-in-the-middle attacks that steal victims’ credentials during online banking sessions.
<1%
RitB (RAT-in-the-Browser) is a third-generation Trojan attack in which the attacker uses a Remote Administration Tool (RAT) based on standard remote access protocols to fully control the victim’s PC from afar. RitB capability comes with many advanced Trojans. With RitB, the fraudster opens a browser from within the legitimate user device, and conducts an end-to-end session including a fraudulent money transfer. Traditional detection tools such as device/location risk analysis or malware detection won’t find anything unusual.
RitB allows the attacker to gain full control of the user device, open a browser, log in with credentials stolen in prior sessions, and then just do whatever they please inside the account. Since the activity comes from the real user device, device and location analysis is effectively neutralized; the same applies to any device-based defense such as USB connected tokens, PKI and proxy piercing technologies.
How does RitB work?
RATs fool device recognition (often the basis of Adaptive Authentication solutions) since the device originating the login and money transfer is the real user device. The bank sees a 100% genuine user device certificates, no traces of proxy, no JS code injections, no automated code, and of course same IP and geo-location. This is as close as it comes to a full ‘cloaking device’.
BioCatch RAT Detection
BioCatch analysis hundreds of user interaction parameters. By analyzing many cognitive-behavioral factors, our patented technology builds a specific model that separates between users who directly control their device and users that remotely control the device over the Internet.
All remotely controlled interactions have subtle differences when compared to regular access, where the user operates the computer directly; our system can spot these differences. This analysis does not require profiling of the regular user behaviour, but tracking which users often access remotely (as a legitimate course of action) will reduce false positives.
In all attacks detected by BioCatch, RitB was always used in combination with other malware capabilities such as keylogging or MitB.
BioCatch ability to detect RATs was confirmed by MRG Effitas, a UK based, independent IT security research organization.
Download BioCatch White Paper- Detecting RAT Attacks on Online Banking Sites
