AT&T Alien Labs has published a report that provides details of the new FatalRAT Trojan circulating online that aims to distribute compromised links on Telegram channels. A RAT is a Trojan that gains remote and generally unrestricted access to a target. The main objective of this type of malware is the exfiltration of data. This new malware, called FatalRAT, can be run remotely, uses defense evasion techniques, gains system persistence, logs user keystrokes, collects system information, and exfiltrates data through a command and control channel. Telegram encryption.
Before the malware completely infects a system, it runs various tests, looking for virtual machine products and checking disk space and the number of physical processors, AT&T Alien Labs notes. «If the machine passes the AntiVM malware tests, then FatalRAT will start its malicious activity. An AntiVM test detects virtual machine configuration files, executables, registry entries, or other flags to manipulate its original flow of execution. Something we should know about FatalRAT is that it performs the following actions:
▸In the initial stage of the attack, FatalRAT performs several tests to determine if it is running on a virtual machine or not, the number of physical processors and to verify the disk space.
▸The point at which it initializes its malicious task is when the machine passes the AntiVM tests.
▸If a user wants to use the DisableLockWorkstation registry key to lock the device through CTRL + ALT + DELETE, this will not let you because the Trojan will activate a keylogger.
▸The configuration strings containing the C2 address, the new malware, and the service name are decrypted separately.
▸The victim’s information is sent to the C2 server, but before reaching the servers, it uses a defense evasion technique to identify the system’s security products.
▸The data sent to the C2 is encrypted and distributed through port 8081.
▸Telegram channels are used to convey messages to a large audience. But unlike Telegram groups, only administrators can send messages through the channel.
This threat is quite persistent, in addition it has a defense evasion technique, which is responsible for identifying all the security products that run on the infected machine, going through all the running processes and looking for the existence of a predefined list of security products, the researchers note. And to make it easier for the attacker to detect installed security products, the RAT converts the process name to a product name before sending the list to the C2 server.
Related reads:
Remcos RAT Threat Lurking the Internet
SolarMarker is a Trojan that aids itself with a RAT
