AT&T Alien Labs has published a report that provides details of the new FatalRAT Trojan circulating online that aims to distribute compromised links on Telegram channels. A RAT is a Trojan that gains remote and generally unrestricted access to a target. The main objective of this type of malware is the exfiltration of data. This new malware, called FatalRAT, can be run remotely, uses defense evasion techniques, gains system persistence, logs user keystrokes, collects system information, and exfiltrates data through a command and control channel. Telegram encryption.<\/p>\n\n\n\n
Before the malware completely infects a system, it runs various tests, looking for virtual machine products and checking disk space and the number of physical processors, AT&T Alien Labs notes. \u00abIf the machine passes the AntiVM malware tests, then FatalRAT will start its malicious activity. An AntiVM test detects virtual machine configuration files, executables, registry entries, or other flags to manipulate its original flow of execution. Something we should know about FatalRAT is that it performs the following actions:<\/p>\n\n\n\n
\u25b8In the initial stage of the attack, FatalRAT performs several tests to determine if it is running on a virtual machine or not, the number of physical processors and to verify the disk space.<\/em><\/strong><\/p>\n\n\n\n \u25b8The point at which it initializes its malicious task is when the machine passes the AntiVM tests.<\/em><\/strong><\/p>\n\n\n\n \u25b8If a user wants to use the DisableLockWorkstation registry key to lock the device through CTRL + ALT + DELETE, this will not let you because the Trojan will activate a keylogger. <\/em><\/strong><\/p>\n\n\n\n \u25b8The configuration strings containing the C2 address, the new malware, and the service name are decrypted separately.<\/em><\/strong><\/p>\n\n\n\n \u25b8The victim’s information is sent to the C2 server, but before reaching the servers, it uses a defense evasion technique to identify the system’s security products.<\/em><\/strong><\/p>\n\n\n\n \u25b8The data sent to the C2 is encrypted and distributed through port 8081.<\/em><\/strong><\/p>\n\n\n\n \u25b8Telegram channels are used to convey messages to a large audience. But unlike Telegram groups, only administrators can send messages through the channel.<\/em><\/strong><\/p>\n\n\n\n This threat is quite persistent, in addition it has a defense evasion technique, which is responsible for identifying all the security products that run on the infected machine, going through all the running processes and looking for the existence of a predefined list of security products, the researchers note. And to make it easier for the attacker to detect installed security products, the RAT converts the process name to a product name before sending the list to the C2 server.<\/p>\n\n\n\n Related reads: AT&T Alien Labs has published a report that provides details of the new FatalRAT Trojan circulating online that aims to distribute compromised links on Telegram channels. A RAT is a Trojan that gains remote and generally unrestricted access to a target. The main objective of this type of malware is the exfiltration of data. This […]<\/p>\n","protected":false},"author":1,"featured_media":3475,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[36],"class_list":["post-3474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\n
Remcos RAT Threat Lurking the Internet<\/a>
SolarMarker is a Trojan that aids itself with a RAT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"