Understanding Remote-Control Trojans: Concepts, Deployment, Communication, and APT Threats

Trojan Basic Concepts and Classification

Trojan, short for Trojan horse, originates from Greek mythology. It deceives users to install hidden malicious code that enables remote control of the victim’s computer.

Features of Trojans

Trojans are characterized by:

Deceptiveness : Users often execute the payload themselves.

Hiddenness

Unauthorized operation : Malicious actions occur without user consent.

Interactivity : Attackers can interact with the compromised host.

Classification can be viewed from different perspectives:

1. Behavior Perspective

Based on Kaspersky’s SafeStream classification, Trojans are divided into Backdoor, Trojan, Rootkit, and Exploit. Backdoor includes remote‑control programs, which are the focus of this article.

2. Function Perspective

Remote‑control type

Information‑gathering type

Destructive type

Trojan Implantation Methods

Common infection vectors include:

Web‑based injection : Exploiting browser or server vulnerabilities to deliver malicious pages that auto‑download the trojan.

Phishing email attachment : Malicious files or HTML emails trigger installation when opened.

Document bundling : Malicious code hidden in Office or PDF documents exploits vulnerabilities upon opening.

Masquerading : Renaming executables, altering extensions, or using Unicode tricks to disguise the payload.

Bundled implantation : Combining the trojan with other executables, documents, multimedia files, or e‑books (e.g., WinRAR exploit CVE‑2018‑20250).

Other methods : USB drops, social engineering, etc.

Remote‑Control Trojan Communication Methods

Control and compromised ends communicate via channels built on IP addresses, ports, or third‑party websites. Two main connection types exist:

Forward connection (controller initiates connection to the victim).

Reverse connection (victim initiates connection to the controller).

1. Forward Connection

The controller connects to an open port on the victim, sending commands and receiving system information (IP, MAC, hostname, memory, etc.).

Advantages: attacker does not need a static IP; the trojan does not expose its own IP. Disadvantages: firewalls may block, and the attacker must have an external IP.

2. Reverse Connection

The compromised host initiates the connection, often using port 80 to bypass firewalls. Advantages include easier firewall traversal and ability to control LAN targets; disadvantages involve exposing the C2 server address.

3. Communication Protocols

TCP – stable but easily detected.

HTTP – can be disguised.

UDP – lighter payload but less reliable.

ICMP+TCP/UDP – uses ICMP packets to trigger port opening, often bypassing firewalls.

Common Functions and Intentions of Remote‑Control Trojans

A typical trojan consists of a configuration program, a client (controller), and a server (payload). Core functionalities include:

File management (browse, upload/download, execute, delete, modify attributes).

Process management (view, terminate, pause processes).

Service management (create, start/stop, delete services).

Registry management (read, create, delete keys).

Screen control (capture, monitor).

Audio/video capture (record microphone, access webcam).

Keylogging (capture keystrokes, credentials).

Window management, remote shell, etc.

Key Windows API functions involved are listed in blockquotes throughout the source.

1. File Management

Operations include browsing disks, uploading/downloading files, executing files, deleting files, and modifying file attributes.

Possible functions: GetLogicalDriveString, GetDiskFreeSpaceEx, GetVolumeInformation, FindFirstFile, FindNextFile, DeleteFile, SHFileOperation, MoveFile, CreateFileEx, WriteFile, etc.

2. Process Management

Allows viewing system environment, installed software, running processes, and terminating or pausing them.

Key functions: CreateToolhelp32Snapshot, Process32First, Process32Next, EnumProcesses, OpenProcess, AdjustTokenPrivilege, TerminateProcess, etc.

3. Service Management

Enables creating, starting/stopping, and deleting services.

Key functions: OpenSCManager, EnumServiceStatus, OpenService, QueryServiceConfig, StartService, StopService, DeleteService.

4. Registry Management

Browse, create, delete registry keys and values.

Key functions: RegQueryInfoKey, RegEnumKeyEx, RegEnumValue, RegCreateKeyEx, RegDeleteKey, RegSetValueEx, RegDeleteValue.

5. Screen Control

Uses keybd_event or SendInput to simulate PrintScreen and CreateDC to capture the screen.

6. Keyboard/Mouse Operations

Functions include SetCursorPos, mouse_event, and SendInput.

7. Screen Capture

Uses CreateDC, CreateCompatibleBitmap, and BitBlt to capture single or multiple screenshots.

8. Audio/Video Capture

Records microphone input and accesses webcam to capture video, even when offline, transmitting data later.

9. Keylogging

Collects usernames, passwords, chat messages, and can record Chinese characters.

APT Attacks and Remote‑Control Trojans

APT groups frequently employ remote‑control trojans for persistence, data exfiltration, and sabotage. Examples include:

Sea Lotus (2015) using CS platform, Denis family trojans, Ratsnif, Gh0st.

Green Patch (2018) using modified ZXShell, PI, Gh0st.

Equation (various) using multiple complex trojan platforms.

APT attackers choose trojans because they provide long‑term control over pivot or critical machines, enabling data theft, profit, or destructive actions.

1. Relationship Between APT and Trojans

In the US TCTF framework, remote‑control trojans appear in the “Presence” (persistence) and “Effect” (execution) stages, facilitating command‑and‑control, data collection, and sabotage.

2. Differences Between Ordinary and APT Trojans

APT‑grade trojans are custom‑developed or heavily modified, using zero‑day exploits, supply‑chain attacks, firmware/rootkit persistence, encrypted C2 channels, and advanced evasion techniques.

3. Typical APT Trojans

(1) Modified ZXShell (Green Patch)

Original open‑source ZXShell was trimmed and extended with file‑stealing modules targeting WPS documents, keyword‑based file collection, and encrypted configuration.

(2) DanderSpritz (Equation)

DanderSpritz provides extensive command sets for process, network, registry, file, and driver control, and uses a “Trigger” activation mode where the trojan passively listens for specially crafted packets, decrypts embedded C2 information, and initiates a connection.

RSA encryption is employed for secure C2 communication.

Detection Challenges

Detecting APT trojans is difficult due to:

Static file signatures being obfuscated.

Encrypted or dynamic C2 channels without fixed ports.

Use of legitimate services and protocols to blend traffic.

Advanced persistence mechanisms (MBR, firmware, rootkits).

Summary

Remote‑control trojans are indispensable in APT campaigns, providing persistence and flexible command‑and‑control capabilities. Their complexity spans infection vectors, functional modules, communication methods, and anti‑detection techniques. Understanding their architecture, behavior, and detection vectors is essential for effective defense.