FatalRAT Exploits Telegram to Deliver Malicious LinksAT&T Alien Labs: RAT Uses Defense Evasion Techniques
Telegram channels are used to broadcast messages to a large audience. But unlike Telegram groups, only admins can send messages via the channel.
The malware, dubbed FatalRAT, can be remotely executed and can perform defense evasion techniques, obtain system persistence, log user keystrokes, collect system information and exfiltrate data over an encrypted command-and-control channel, the researchers say.
AT&T Alien Labs reports discovering samples of FatalRAT in the wild in the past few months, but it does not say how many victims have been affected.
Before the malware fully infects a system, it runs several tests, looking for the existence of virtual machine products and checking disk space and the number of physical processors, AT&T Alien Labs notes.
"If the machine passes the malware AntiVM tests, FatalRAT will then start its malicious activity. First, it decrypts each of the configuration strings separately. These configuration strings include the C2 address, new malware file name, service name, and other settings," says Ofer Caspi, a security researcher at Alien Labs.
An AntiVM test detects virtual machine configuration files, executables, registry entries or other indicators to manipulate their original execution flow.
The RAT also disables the user's ability to lock the computer through the CTRL+ALT+DELETE command by using the registry key DisableLockWorkstation. Once the computer lockdown is disabled, the malware activates a keylogger.
"FatalRat can persist either by modifying the registry or by creating a new service," Caspi says. "If persistence is done by modifying the registry, it will create the value 'SoftwareMicrosoftWindowsCurrentVersionRunSVP7' to execute the malware at boot time. When using setting service for persistence, FatalRat will retrieve the description from its configuration."
The malware then collects information, such as external IP address, username and other information about the victim from the infected machine and sends it to the C2 server.
As a defense evasion technique, the malware identifies all security products running on the machine by iterating through all running processes and searching for the existence of a predefined list of security products, the researchers note. And to make it easier for the attacker to detect which security products are installed, the RAT converts the process name to a product name before sending the list to the C2 server, the researchers say.
"To communicate back to the C2, the malware uses an arithmetic routine to encrypt the data sent between the victim and the attacker. This encryption includes a one-byte XOR key and the addition of a constant to the obtained value," they add.
The encrypted message is then sent to the C2 through port 8081 and awaits the attacker’s command.
"The malware has several routines to handle different browsers," Caspi notes. "Some of these routines include deleting user information for specific browsers (Edge, 360Secure Browser, QQBrowser, SogouBrowser, and Firefox). For Chrome, it will query for user information and then delete the content. Deleting saved information will force the user to input, for example, user and password, which the malware can capture with its keylogger."
The malware also spreads on the victim's network by brute-forcing weak passwords. It then copies itself to the dedicated folder as %Folder%hackshen.exe and executes the copied file remotely. It either steals stored data - on Chrome, for example - or deletes saved information with a handler for different browsers.
FatalRAT commands include functions such as keylogger, change resolution, uninstall UltraViewer, download and install AnyDesk. It executes shell commands, modifies registry keys and can download and execute a file.
In another recent example of attackers leveraging Telegram, security firm Cofense in February discovered a phishing campaign that attempted to steal victims' credentials by abusing Telegram's API (see: Fraudsters Using Telegram API to Harvest Credentials). It was used to create malicious domains that help bypass security tools such as secure email gateways (see: Researchers Found Flaws in Telegram's Cryptographic Protocol).
In September 2020, security firm Malwarebytes found that fraudsters were using Telegram to sweep up payment card data from victims using Base64 encoding strings in conjunction with a bot (see: Fraudsters Use Telegram App to Steal Payment Card Data).
And late in 2019, researchers at Juniper Threat Labs found hackers targeting victims by using a Trojan that created a secure Telegram channel to send data back to the attackers' command-and-control server.