[BreachExchange] FatalRAT in Full Play: the New Trojan that Targets Telegram

Tue Aug 3 11:23:22 EDT 2021

https://heimdalsecurity.com/blog/fatalrat-targets-telegram/

AT&T Alien Labs has released a report detailing a new remote access trojan
(RAT) that is circulating online. By its name FatalRAT, its goal is to
distribute compromised links on Telegram channels.

What Is a RAT?

According to our glossary, a RAT is a trojan that chooses a victim and
gains access to their privileged rights, thus allowing hackers to have
unrestricted control over a computer. The main goal of such malware is data
exfiltration and can infect other devices too.

How Does the FatalRAT Work?

Following the report’s description, FatalRAT takes actions using the bellow
pattern:

   - In the initial stage of the attack, FatalRAT engages in running
   various tests.
   - The tests’ goal is to find products of the virtual machine, gain
   knowledge of how many physical processors it has and also verify the disk
   space.
   - The point when it initializes its malicious task is when AntiVM tests
   are passed by the machine.
   - The configuration strings that contain the C2 address, the new
   malware, and the service name are decrypted separately.
   - Then, if a user wants to use the registry key DisableLockWorkstation
   to lock the device through CTRL+ALT+DELETE he cannot do it. This way,
   FatalRAT makes a keylogger active.
   - The victim’s information is sent to the C2 server, but before reaching
   the servers, the hacker makes use of a defense evasion technique to
   identify the machine’s security products.
   - The data sent to the C2 is encrypted and distributed via port 8081.
   Then the hackers should just run the command.

What Damages Can the Trojan Cause?

FatalRAT can be responsible for a series of malicious activities’ results.
According to https://www.bankinfosecurity.com/, it can be deployed
remotely, take advantage of the defense evasion method described above,
have the capabilities to persist in the system, gain access to users’
keystrokes. Also, shell commands can be performed, registry keys can be
changed and it can also easily execute files. All these with the goal to
gather and retrieve system confidential data through a command-and-control
channel that is encrypted.

Alien Labs Security Researcher Ofer Caspi declared that:

"FatalRAT can persist either by modifying the registry or by creating a new
service. If persistence is done by modifying the registry, it will create
the value ‘SoftwareMicrosoftWindowsCurrentVersionRunSVP7’ to execute the
malware at boot time. When using setting service for persistence, FatalRat
will retrieve the description from its configuration."

Telegram: Target of Cyberattacks

It’s not the first time Telegram is targeted by malware.

Let’s remember the Toxic Eye Rat back in April, when threat actors used
Telegram, the software and application service for cloud-based instant
messaging, to distribute Toxic Eye via phishing e-mails. When the victims
downloaded the malicious file embedded in the attachment, Toxic Eye could
compromise the device.

Or when the macOS Malware stole Google Chrome Info and Telegram Accounts.
The pattern was similar to this case of FatalRAT. Sensitive data was
collected and sent to a remote command-and-control server.

Why Is Telegram a Target for Malware?

FatalRAT, Toxic Eye, macOS Malware, and maybe many more malware take
advantage of the Telegram App. But why is it so easy to be exploited? A
reason could be that:

"Telegram is a legitimate, easy-to-use, and stable service that isn’t
blocked by enterprise anti-virus engines, nor by network management tools.
Attackers can remain anonymous as the registration process requires only a
mobile number"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210803/02dd3cbc/attachment.html>