AFP plays RAT catcher: Investigates malware distribution

The Australian Federal Police has revealed it today searched a property in Lara, a town north of Geelong, as part of an international malware investigation.

A statement released by the AFP on the operation was short on detail but said the action was part of an international investigation coordinated with Royal Canadian Mounted Police (RCMP), the Canadian Radio–television and Telecommunications Commission (CRTC) and the FBI.

The investigation, which is ongoing, targets “criminal networks involved in the use and distribution of malicious software” — in particular Remote Access Trojans (RATs).

“This operation shows we have global reach, strong international partnerships and commitment to stamping out this type of cybercrime,” AFP Acting Commander, manager cyber operations, Chris Goldsmid said in a statement.

“It’s also a reminder for all Australians to practice good cyber hygiene. We would like to remind the public of the importance of keeping their software updated. Vulnerabilities in old or unprotected software are often the target for criminals who wish to gain control over your system.”

The criminal use of malware is an offence under the Commonwealth Criminal Code Act 1995, the AFP said, with “unauthorised modification of data to cause impairment” leading to a potential 10-year jail term.

As part of the international operation the CRTC and the RCMP National Division each executed a warrant at a home in the Greater Toronto Area.

The CRTC executed a warrant under Canada's Anti-Spam Legislation while the RCMP National Division executed a search warrant under Canada's Criminal Code

According to the CRTC, tips from “international private cyber security firms” triggered the investigation.

“The CRTC does not comment on active investigations, nor does it name the individuals or companies under investigation,” a statement from the CRTC said. “Further information will be communicated when the investigation is concluded.”

“As a result of collaborative efforts with its domestic and international law enforcement partners, we can confirm that a warrant was executed,” an RCMP spokesperson told Computerworld. “RCMP National Division continues to work with its partners on this matter. No further comments will be made at this time, since we are currently investigating the matter.”

RATs have been implicated in a number of high-profile attacks against Australian organisations.

A 2015 compromise of Bureau of Meteorology systems involved the use of a RAT, with the Australian Cyber Security Centre (ACSC) revealing that a variety of malware “popular with state-sponsored cyber adversaries” was found on a BoM system.

Earlier this year the ACSC published details of an investigation into the compromise of at least eight Australian web hosting providers.

The report of the investigation, conducted in May 2018, revealed the use of the ‘Gh0st’ RAT. The compromised servers were used for search-engine optimisation (through hidden links to external websites) and mining cryptocurrencies. In some cases, browsers would be redirected away from legitimate websites to ad-heavy sites.

“The access was exclusively used to conduct criminal activity on the network and customer websites, using the reputation of these legitimate sites to add validity to their activities,” the head of the ACSC, Alastair MacGibbon, said in a statement released in January.

“Australia is the first country to identify and engage with victims about this activity. While the methods used are not new or sophisticated the use of them in the manner described in this report, and the victims they target, make this a significant achievement.”

Last year the ACSC also highlighted the use of RATs in a report highlighting countermeasures for some of the most common threats faced by enterprises and governments.

That report was produced in collaboration with the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC).