A Cyber Kill Chain Based Analysis of Remote Access Trojans

  • Reyhaneh HosseiniNejad
  • Hamed HaddadPajouh
  • Ali DehghantanhaEmail author
  • Reza M. Parizi


Computer networks and industrial systems are always under cyber threat and attack. Existing vulnerabilities in different parts of systems have given cyber attackers the opportunity to think about attacking, damaging or hindering the working process of important infrastructures of the country. Figuring out these threats and weak points which are used by malwares like Trojans, considering the evolution of used techniques for preventing identification and ways to identify, is a big challenge. Having a destructive hierarchy can help identification and risk mitigation strategies. In this paper, we have analyzed a hierarchy based on characteristics of remote-controlled malwares using 477 Trojans collected from real-world samples, using different methods of assessment. The carried out analysis used one of the popular models for identifying cyber threats named Cyber Kill Chain. We proposed a hierarchy based on dataset sample in different stage of malware lifecycle.


Cyber kill chain Trojan RAT Threat intelligence Threat hunting 


  1. 1.
    S. Walker-Roberts, M. Hammoudeh, and A. Dehghantanha, “A Systematic Review of the Availability and Efficacy of Countermeasures to Internal Threats in Healthcare Critical Infrastructure,” IEEE Access, vol. 6, pp. 25167–25177, 2018.Google Scholar
  2. 2.
    M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things security and forensics: Challenges and opportunities,” Futur. Gener. Comput. Syst., vol. 78, pp. 544–546, 2018.Google Scholar
  3. 3.
    H. H. Pajouh, A. Dehghantanha, R. Khayami, and K. K. R. Choo, “Intelligent OS X malware threat detection with code inspection,” J. Comput. Virol. Hacking Tech., pp. 1–11, 2017.Google Scholar
  4. 4.
    L. Chen, T. Li, M. Abdulhayoglu, and Y. Ye, “Intelligent malware detection based on file relation graphs,” in Proceedings of the 2015 IEEE 9th International Conference on Semantic Computing (IEEE ICSC 2015), 2015, pp. 85–92.Google Scholar
  5. 5.
    A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, “Detecting crypto-ransomware in IoT networks based on energy consumption footprint,” J. Ambient Intell. Humaniz. Comput., vol. 0, no. 0, p. 0, 2017.Google Scholar
  6. 6.
    H. Haddad Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, “A Two-layer Dimension Reduction and Two-tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks,” IEEE Trans. Emerg. Top. Comput., vol. 6750, no. c, pp. 1–1, 2016.Google Scholar
  7. 7.
    S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence,” IEEE Trans. Emerg. Top. Comput., vol. 6750, no. c, pp. 1–11, 2017.Google Scholar
  8. 8.
    H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K. K. R. Choo, “A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting,” Futur. Gener. Comput. Syst., vol. 85, pp. 88–96, 2018.Google Scholar
  9. 9.
    A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning,” IEEE Trans. Sustain. Comput., vol. 3782, no. c, pp. 1–1, 2018.Google Scholar
  10. 10.
    M. Damshenas, A. Dehghantanha, and R. Mahmoud, “A Survey on Malware propagation, analysis and detection,” Int. J. Cyber-Security Digit. Forensics, vol. 2, no. 4, pp. 10–29, 2013.Google Scholar
  11. 11.
  12. 12.
    A. Shalaginov, S. Banin, A. Dehghantanha, and K. Franke, Machine learning aided static malware analysis: A survey and tutorial, vol. 70. 2018.Google Scholar
  13. 13.
    J. Baldwin and A. Dehghantanha, “for Opcode Density Based Detection of Crypto-Ransomware,” 2018.Google Scholar
  14. 14.
    M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” 2015 2nd Int. Conf. Inf. Secur. Cyber Forensics, InfoSec 2015, pp. 23–27, 2016.Google Scholar
  15. 15.
    A. Khalilian, A. Baraani, “An Investigation and Comparison of Metamorphic Virus Detection and Current Challenges.,” Biannu. J. Monadi Cybersp. Secur., 2014.Google Scholar
  16. 16.
    “AV-TEST,” 2018. [Online]. Available:
  17. 17.
    Mcafee, “McAfee Labs Threat Report,” no. December, p. 50, 2016.Google Scholar
  18. 18.
    D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence,” J. Comput. Sci., Nov. 2017.Google Scholar
  19. 19.
    G. Canfora, F. Mercaldo, C. A. Visaggio, and P. Di Notte, “Metamorphic Malware Detection Using Code Metrics,” Inf. Secur. J. A Glob. Perspect., vol. 23, no. 3, pp. 57–67, May 2014.Google Scholar
  20. 20.
    S. Wu, S. Liu, W. Lin, X. Zhao, and S. Chen, “Detecting Remote Access Trojans through External Control at Area Network Borders,” Proc. - 2017 ACM/IEEE Symp. Archit. Netw. Commun. Syst. ANCS 2017, pp. 131–141, 2017.Google Scholar
  21. 21.
    S. Shin, J. Jung, and H. Balakrishnan, “Malware prevalence in the KaZaA file-sharing network,” in Proceedings of the 6th ACM SIGCOMM on Internet measurement - IMC ‘06, 2006, no. May, p. 333.Google Scholar
  22. 22.
    S. Mohtasebi and A. Dehghantanha, “A Mitigation Approach to the Malwares Threats of Social Network Services,” Muktimedia Inf. Netw. Secur., pp. 448–449, 2009.Google Scholar
  23. 23.
    X. M. Wang, Z. B. He, X. Q. Zhao, C. Lin, Y. Pan, and Z. P. Cai, “Reaction-diffusion modeling of malware propagation in mobile wireless sensor networks,” Sci. China Inf. Sci., vol. 56, no. 9, pp. 1–18, 2013.Google Scholar
  24. 24.
    D. Jiang and K. Omote, “A RAT detection method based on network behavior of the communication’s early stage,” IEICE Trans. Fundam. Electron. Commun. Comput. Sci., vol. E99A, no. 1, pp. 145–153, 2016.Google Scholar
  25. 25.
    M. N. Kondalwar and C. J. Shelke, “Remote Administrative Trojan/Tool (RAT),” Int. J. Comput. Sci. Mob. Comput., vol. 3333, no. 3, pp. 482–487, 2014.Google Scholar
  26. 26.
    D. Jiang and K. Omote, “An approach to detect remote access trojan in the early stage of communication,” Proc. - Int. Conf. Adv. Inf. Netw. Appl. AINA, vol. 2015–April, pp. 706–713, 2015.Google Scholar
  27. 27.
    U. Losche, M. Morgenstern, and H. Pilz, “Platform Independent Malware Analysis Framework,” Proc. - 9th Int. Conf. IT Secur. Incid. Manag. IT Forensics, IMF 2015, pp. 109–113, 2015.Google Scholar
  28. 28.
  29. 29.
    A. Shabtai, L. Tenenboim-Chekina, D. Mimran, L. Rokach, B. Shapira, and Y. Elovici, “Mobile malware detection through analysis of deviations in application network behavior,” Comput. Secur., vol. 43, pp. 1–18, Jun. 2014.Google Scholar
  30. 30.
    M. Lindorfer, C. Kolbitsch, and P. M. Comparetti, “Detecting environment-sensitive malware,” in International Workshop on Recent Advances in Intrusion Detection, 2011, vol. 2011, pp. 338–357.Google Scholar
  31. 31.
    A. Karim, S. Adeel, A. Shah, and R. Salleh, “New Perspectives in Information Systems and Technologies, Volume 2,” vol. 276, pp. 153–164, 2014.Google Scholar
  32. 32.
    X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas, “SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers,” Proc. - IEEE Symp. Secur. Priv., vol. 2015–July, pp. 659–673, 2015.Google Scholar
  33. 33.
    B. B. Gupta, A. Tewari, A. K. Jain, and D. P. Agrawal, “Fighting against phishing attacks: state of the art and future challenges,” Neural Comput. Appl., vol. 28, no. 12, pp. 3629–3654, Dec. 2017.Google Scholar
  34. 34.
    M. Nawir, A. Amir, N. Yaakob, and O. B. Lynn, “Internet of Things (IoT): Taxonomy of security attacks,” 2016 3rd Int. Conf. Electron. Des., pp. 321–326, 2016.Google Scholar
  35. 35.
    A. Cook, H. Janicke, R. Smith, and L. Maglaras, “The industrial control system cyber defence triage process,” Comput. Secur., vol. 70, pp. 467–481, 2017.Google Scholar
  36. 36.
    T. Who and E. T. Hunting, “Interested in learning SANS Institute InfoSec Reading Room The Who, What, Where, When, Why and How of.”Google Scholar
  37. 37.
    T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication, 2015, pp. 438–452.Google Scholar
  38. 38.
    S. Attaluri, “Detecting Metamorphic Viruses Using Profile Hidden Markov Models,” no. December, 2007.Google Scholar
  39. 39.
    B. Kolosnjaji, A. Zarras, G. Webster, and C. Eckert, “Deep Learning for Classification of Malware System Call Sequences.”Google Scholar
  40. 40.
    T. Yadav and P. Szor, “The art of computer virus research and defense,” Choice Rev. Online, vol. 43, no. 03, pp. 43–1613–43–1613, Nov. 2005.Google Scholar
  41. 41.
    M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware-analysis techniques and tools,” ACM Comput. Surv., vol. 44, no. 2, pp. 1–42, 2012.Google Scholar
  42. 42.
    F. Daryabar, A. Dehghantanha, and N. I. Udzir, “Investigation of bypassing malware defences and malware detections,” in Information Assurance and Security (IAS), 2011 7th International Conference on, 2011, pp. 173–178.Google Scholar
  43. 43.
    M. Assante and R. Lee, “Interested in learning SANS Institute InfoSec Reading Room System Cyber Kill Chain,” 2015.Google Scholar
  44. 44.
    S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam, “A Taxonomy of botnet behavior, detection, and defense,” IEEE Commun. Surv. Tutorials, vol. 16, no. 2, pp. 898–924, 2014.Google Scholar
  45. 45.
    A. Buescher, F. Leder, and T. Siebert, “Banksafe Information Stealer Detection Inside the Web Browser,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6961 LNCS, Springer, 2011, pp. 262–280.Google Scholar
  46. 46.
    A. Stewart, “DLL Side-Loading: A Thorn in the Side of the Anti-Virus (AV) Industry,” FireEye, Inc, 2014.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Reyhaneh HosseiniNejad
    • 1
  • Hamed HaddadPajouh
    • 2
  • Ali Dehghantanha
    • 2
    Email author
  • Reza M. Parizi
    • 3
  1. 1.Pishtazan Higher Education InstituteShirazIran
  2. 2.Cyber Science Lab, School of Computer ScienceUniversity of GuelphGuelphCanada
  3. 3.Department of Software Engineering and Game DevelopmentKennesaw State UniversityMariettaUSA

Personalised recommendations