Methods for Reducing Threat Intelligence Pollution: an Empirical Study on Remote Access Trojan Ecosystem



Journal Title

Journal ISSN

Volume Title



The Internet is an essential part of most people's lives, which increases their risk of being exposed to cyber attacks. Spam calls and phishing emails are instances of large-scale cyber attacks that are typically automated and highly prevalent. However, the rate of Interpersonal attacks is also increasing. These types of attacks present the potential for deeper harm to people's lives. One type of malicious software used in interpersonal cyber attacks is a Remote Access Trojan (RAT). RAT attacks can lead to real world harm like non-consensual capturing of images or leaking sensitive private personal data. Also, repressive governments have used RAT software to monitor political dissidents. The negative impacts to people's lives motivates increased focus on finding useful strategies to mitigate the effects of RAT attacks. The current approach to mitigate RATs is either to locate and notify victims to help remove the infection, or to locate and take down the attacker's infrastructure or arrest the attacker. The problem is that many of these potential attackers and victims discovered using existing threat intelligence are fake. We refer to these phenomena as intelligence pollution. The prevalence of intelligence pollution causes wasted effort when attempting to notify victims or take down attackers resulting in these methods being less efficient. To address this wasted effort, this research investigated methods for detecting and removing intelligence pollution in the context of the RAT ecosystem}. More specifically, this work developed~\gls{deception} and analytic technologies to differentiate real attackers and victims from their fake counterparts. This dissertation is composed of three studies focusing on detecting, removing, and measuring intelligence pollution in the RAT ecosystem. In the first study, we found that 98% of assumed victims were fake and only 2% were verified as real victims, which has resulted in 98% of notification efforts being wasted due to intelligence pollution. In the second study, we investigated the RAT operator behaviors, their course of action, and the aftermath of intrusion by RAT operators, and we developed a framework to decode operator behavior from the RAT network traffic. In the third study, we developed an ethical methodology for active data collection from the RAT operators' infrastructure. With this method we improved the initial results of the first study by 50%, meaning that we could eventually discover more fake victims and detect duplicate and fake attackers. Our work ultimately resulted in a clearer picture of the RAT ecosystem by identifying fake attackers and victim pollution. We found that nearly 99% of apparent victims were actually fake victims, which presents the opportunity to make more efficient and effective use of existing RAT mitigation approaches, thus reducing their damaging effects both on individuals and our larger digital society.