Suspected Remote Access Trojan (RAT) On Router

mike888 · 26 Sep 2023

I have a suspected remote access Trojan originating from my router as the problem is affecting all my Windows 10 machines. The router for the past 7-10 years has always been replaced with one of exactly the same model and I very much doubt that it has had many if any firmware or firewall updates during this time.

My broadband contract is coming up for renewal in the next few days and I have been told that my old router has finally been discontinued and my ISP wants to give me a much more powerful router which is more than double the size of the old one and hopefully it will have security advantages too.

I don’t use wi-fi on my computers only for a streaming stick and there is a button on the side of the router to turn the wi-fi off and on which I find is useful.

The new router doesn’t have this feature and I would have to access the routers configuration page to access the wi-fi, and I will also need to do this to turn off the higher of the two wi-fi frequencies. The router is user specific and I would have to enter password details, these details I know will be really strong based on my old routers but could also possibly be seen by hackers.

You may be wondering why I am writing this all about my router and how do I know I have a RAT. It all started several weeks ago and I was noticing in process explorer that every time the computers connected to the internet a powershell.exe would be shown, sometimes two of them at the same time. I was able to write down the script which appeared to be a type of interrogation to get details of my machines. Also the occasional command prompt extension would appear in process explorer. The remote machine managed to download “winget” which appeared suddenly in my apps and features which I quickly uninstalled. Although Winget is a genuine programme I class it along with Powershell and Terminal as programmes from H*ll.

Doing detective work and using the Internet I was able to (mostly) stop Powershell scripts from being run from both local and remote locations. I also disabled some programs in apps and features.
Process Explorer doesn’t have the processes jumping about now. I think I have at least made an attempt to limit the damage to my machines.

I have run full scans of Kaspersky antivirus, Microsoft Safety Scanner and the regular monthly scanner. Both the Microsoft scans detected 7 items during the scans but upon completion said no malicious items had been detected. I have also tried Zemana, Hitman Pro etc and near enough given up.

What I have never done with Windows 10 is use safe mode as I am concerned that once in it I wouldn’t be able to get out. The emergency procedure to exit involves using the command prompt, which would be a step to far for me.

My main thoughts are with my impending internet contract. I can continue using the old router even when I get the new one. I cannot see a way out of my problems.

I am not a stranger to getting new items and not using them . I got a printer 6 years ago, didn’t use it. Got another one 3 years ago and they are both currently unused. One of the printers manuals is over 500 pages but this is all moving away from my current situation that I am in.

RickC · 26 Sep 2023

mike888 said:

You may be wondering why I am writing this all about my router and how do I know I have a RAT. It all started several weeks ago and I was noticing in process explorer that every time the computers connected to the internet a powershell.exe would be shown, sometimes two of them at the same time. I was able to write down the script which appeared to be a type of interrogation to get details of my machines.

You almost 100% don't have a RAT.

Since Vista, the Powershell activity is merely system collection of diagnostics data that Windows Event Reporting (WER) uploads whenever an internet connection is detected.

See About WER for more info. It's absolutely normal.

If you want to stop the collection then just disable WER.

Hope this helps...

FreeBooter · 26 Sep 2023

The RAT infection is a malware designed to allow an attacker to remotely control an infected computer. RATs, like any malware, are only a danger if they are installed and executed on a target computer.

This video guide gives a full review on remote access trojan. It covers its meaning, functions, bad effects, detection, removal, as well as protection methods.

mike888 · 27 Sep 2023

Thank you for your replys, I am still not convinced that I don't have something at least similar to a RAT. Some system files are not digitally signed when they should be and sometimes changes are made to my browser settings, nothing major though.
I am the only person with access to the machines.

I have seen at least 20 videos on the video channel and I am surprised that the video channel owners don't control what is published. What I mean by this is you see one video about RAT infections and how to investigate them, but the next video in the sequence is how to create a RAT . There is an approximate 50% each for prevention and how to create a RAT. The ones showing how to create a RAT do have a disclaimer at the start to say they are for information or educational purposes only and may be illegal to act upon in some countrys. I was shocked to see at the weekend just how easy it is to infect a simple everyday file type.

flashh4 · 27 Sep 2023

mike888, if you want i can look at your files & see if there is anything there ! Download this program to desk top (important) then run it & post the logs back here !
FARBAR (FRST)
Download Farbar Recover Scan Tool for 64 bit systems <<<< Downloading Farbar Recovery Scan Tool >>> and save it to your Desktop. <<< Important
If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
* Right click on the icon and select Run as administrator
* Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
* Click Yes to the disclaimer
* Click Scan and allow the program to run
* Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen

2 Notepad documents should now be open on your desktop.
Please copy and paste the contents of each report in separate reply windows

bro67 · 27 Sep 2023

No you do not have a Remote Access Trojan, No ISP is going to embed anything like a Remote Access Trojan in their hardware firmware, yes you have to use a app now to access the basics on a ISP's hardware to make only those changes that the end user needs to do. If you want a more robust setup for networking, buy your own hardware.

mike888 · 28 Sep 2023

The Farbar tool will not run, see my previous post to an old thread at:
Malwarebytes And Adwcleaner Issues

This RAT business still concerns me because I have programs appear in the recent list of the search menu that I have not been using, specifically the snipping tool that appears once or twice a day. I have my settings in GP set to not allow it to run. If I click on it I get an error message because I have set a policy for it. The programme will not start even if an attempt is made to run it as administrator, this is expected

The programme does not appear in add and remove progs or in optional features.

I also sometimes have other programs appear in the recent list that I myself have not been using !

A few weeks ago I did a probe of my routers UPNP using "shields up" and I got the message that the probe could not be continued as something else was probing it , and to try again later.

flashh4 · 28 Sep 2023

The other option is to download "Farbar" to a flash drive then run it on the computer !! That is what you should of done with the Malwarebytes & AdwCleaner when they didn't run ! Please give this a try for Fabar !!

bro67 · 28 Sep 2023

None of these tools are going to do anything with network hardware. As for your computer hardware, it is obvious that there is nothing nefarious going on.

pepanee · 28 Sep 2023

I have this app. It always shows so many programs that open without me opening them.