Cybercriminals are now able to infect Windows computers with a different type of malware that can be controlled using Telegram, a cloud-based encrypted messaging app that rivals WhatsApp. Twitter user @3xp0rtblog found T-RAT 2.0 being sold on Russian forums.
T-RAT 2.0 malware infects Windows machines
T-RAT 2.0 offers remote access to a Powershell or CMD terminal via Telegram, allowing hackers to control infected Windows machines. The images comprising Russian text promote the comfort of using T-RAT, courtesy of its remote control via Telegram feature.
New T-RAT 2.0 selling started on criminal forums.
sihost.exe:https://t.co/azgnqcJ1AYhttps://t.co/NyteD6nDiqhttps://t.co/OR1kHnU7yKhttps://t.co/aYMqpL5Udj – panel
Special thanks to @James_inthe_box.
Still information in the comments 👇 pic.twitter.com/i6umdSsvjC
— 3xp0rt (@3xp0rtblog) September 10, 2020
Can hackers target Windows machines via Telegram?
A cybersecurity company G-Data has elaborated on how T-RAT 2.0 can cause harm to Windows computers. ‘Downloader’ is the first-known stage of the T-RAT infection. Once the file is encrypted, it applies XOR with the key 0x01 for decryption.
The resulting file is a ZIP archive which is then saved to %TEMP%/hrtghgesd.zip.
The downloader then deletes %TEMP%/gfdggfd.jpg and extracts the ZIP archive.
“Both hardcoded names consist of characters whose keys are right besides each other on a QWERTY keyboard, so the threat actor likely just rolled a body part on the keyboard to create them,” G-Data Malware Analyst Karsten Hahn said in his explainer post.
If the downloader detects the user has administrator rights, the first part of the path is one of the following:
%APPDATA%\Microsoft\Windows\ %USERPROFILE%\Windows\System32\ %LOCALAPPDATA%\Microsoft\Windows\
In the absence of administrator rights, the first part of the path is one of the following:
%SYSTEM%\Microsoft\Protect\ %COMMONAPPDATA%\Microsoft\Windows\ %USERPROFILE%\AppData\LocalLow\Microsoft\Windows\ C:\Windows\assembly\GAC\
“For the second part of the malware path the downloader generates a random number between 347 and 568203, converts that to a string, then generates the hash either using MD5, SHA1 or SHA256. It uses the hash’s hexadecimal representation as second part of the malware path,” G-Data added.
The downloader uses “the hash’s hexadecimal representation as the second part of the malware path.” Finally, the archive consists of T-RAT executable sihost.exe in addition to several required DLLs. For example, Telegram.Bot.dll and socks5.dll.
T-RAT supports a total of 98 commands including menu navigation, file manager, stealer, clipper, monitoring and spying, disruption, remote control, and more.
