Skip to main content

Abaddon Remote Access Trojan

Abaddon is a newly seen RAT and ransomware tool sold directly to potential attackers. Despite being in active development it has already proven reasonably popular.

Threat ID:
CC-3653
Category:
Trojan, Ransomware
Threat Severity:
Medium
Threat Vector:
Download
Published:
29 October 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Abaddon is a newly seen RAT and ransomware tool sold directly to potential attackers. Despite being in active development it has already proven reasonably popular.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

Abaddon is a newly observed remote access trojan (RAT) sold through hacking forums.

It appears to be in active development as several features are not fully functional. Oddly, it also uses a popular VoIP and IM platform for it's command and control infrastructure.

Delivery

At the time of publication, it is unclear how Abaddon is delivered, although there are unconfirmed reports indicating it may be distributed disguised as legitimate applications hosted on third-party software sites.

Activities

Once delivered, Abaddon will attempt to collect the following  data:

  • file directory lists
  • system information
  • saved payment credentials
  • multi-factor authentication information

It will then connect to hard-coded URL corresponding to a Discord chat server, which is used to pass commands from it's operators. By default, Abaddon is able to:

  • download and upload files or directories
  • enumerate connected drives
  • open a reverse web-shell
  • send collected information.

Abaddon can also deploy an integrate ransomware package to affected devices, although this functionality appears to be incomplete as the package will fail to execute.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Last edited: 30 October 2020 12:47 pm