Infamous T-RAT Trojan 2.0 Released into the Wild Sporting Control via Mobile Devices


Saturday, October 24th, 2020 |

T-RAT, an infamous trojan malware capable of covert surveillance, backdoor for administrative control and unfettered an unauthorized remote access to a victim’s machine. Known generally as a ‘remote access trojan’, or RAT for short, this type of malware is very dangerous as it allows intruders to get remote control of the compromised computer. This new version of T-RAT, known simply as T-RAT 2.0, stands out amongst other RATs by allowing incorporating an ability for threat actors to control infected systems via a Telegram channel, rather than a web-based administration panel. What does this mean?

Users of T-RAT 2.0 can control your computer from their smartphone.

The malware is available for sale on Russian-based forums for only $45. The author of this new version claims that the mobile access gives buys faster and easier access to infected computers from any location, allowing threat actors to activate data-stealing features as soon as a victim is infected, before the RAT’s presence is discovered.

To achieve all this, the RAT’s Telegram channel supports 98 commands that, when typed inside the main chat window, allow the RAT’s owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.

T-RAT also has abiltiies to run commands in CMD and PowerShell, block access to certain websites (useful to block antivirus and tech support websites), kill processes such as security and debug software, and even disable the taskbar and task manager. There are some secondary commands and control systems that are available to via RDP or VNC, but the Telegram feature is the main draw for potential buyers, mainly because of the ease of use and installation.

Remote access trojans are notoriously difficult to detect. The best solution is to have an antivirus software on your system that is fully updated with the latest malware signatures.


Sources:


Indicators of Compromise:

  • Sample Hashes
    • dfa35a3bed8aa7e30e2f3ad0927fa69adecb5b6f4c8a8535b05c28eacbd0dad8
    • 0388c08ae8bf8204ed609a4730a93a70612d99e66f1d700c2edfb95197ab7cc9
    • 9fe677aa81790414db3187bba2e159c5aafda6dc0411fbd5d4786b7e596143f3
    • b6093289ff0470053bd7dde771fa3a6cd21dae99fc444bfebcd33eb153813263
    • e7604cc2288b27e29f1c0b2aeade1af486daee7b5c17b0478ce336dcdbeee2f1
    • 27dcb69c1d010da7d1f359523b398e14e0af0dd5bad1a240734a31ffce8b9262
    • 96ba1d40eb85f60a20224e199c18126b160fe165e727b7dee268890dc5148c68
    • ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
    • c1316ac68d5f3f5ec080d09ffc7c52670a7c42672f0233b9ef50e4b739bd0586
    • 912913d897dd2f969fbcbdb54dde82e54f287ade97725380232dce664417c46c
    • c8164ccc0cf04df0f111d56d7fb717e6110f8dee77cfc3ef37507f18485af04d
  • IoCs for Downloader
    • Download URL
      • hxxps://hgfhhdsf.000webhostapp.com/1DJjnw.jpg
    • Download Location
      • %TEMP%/gfdggfd.jpg
    • Decrypted Download
      • %TEMP%/hrtghgesd​​​.zip
    • Scheduled Task
      • for sihost.exe, task name is the processor ID of infected system
  • IoCs for T-RAT
    • File Name
      • sihost.exe
    • Mutex
      • srvhost
    • Creates Processes
      • winserv1.exe, winserv2.exe, in.exe
    • IFEO Debugger
      • fghdshdzfhgsdfh.exe
    • User Account on System
      • usr[1000-10000], e.g., usr3432
    • Data Folder
      • %TEMP%/winsys/
Share this: