Security researchers have discovered a new remote access trojan (RAT) being advertised on Russian-speaking underground hacking forums.
Named T-RAT, the malware is available for only $45, and its primary selling point is the ability to control infected systems via a Telegram channel, rather than a web-based administration panel.
It’s author claims this gives buyers faster and easier access to infected computers from any location, allowing threat actors to activate data-stealing features as soon as a victim is infected, before the RAT’s presence is discovered.
For this, the RAT’s Telegram channel supports 98 commands that, when typed inside the main chat window, allow the RAT owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.
Furthermore, T-RAT owners can also deploy a clipboard hijacking mechanism that replaces strings that look like cryptocurrency and digital currency addresses with alternatives, allowing the attacker to hijack transactions for payment solutions like Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin, and Tron.
In addition, the RAT can also run terminal commands (CMD and PowerShell), block access to certain websites (such as antivirus and tech support sites), kill processes (security and debug software), and even disable the taskbar and the task manager.
Secondary command and control systems are available via RDP or VNC, but the Telegram feature is the one advertised to buyers, mainly because of the ease of installation and use.
Telegram becoming popular as a malware C&C channel
Although many RATs are often inflated in their ads, T-RAT’s capabilities were confirmed in an analysis by G DATA security researcher Karsten Hahn.
Speaking to ZDNet, Hahn said T-RAT is just the latest in a string of recent malware families that come with a control-by-Telegram capability.
The use of Telegram as a command and control system has been trending up in recent years, and T-RAT isn’t even the first RAT to implement such a model.
Previous ones include RATAttack (uploaded and removed from GitHub in 2017, targeted Windows), HeroRAT (used in the wild, targets Android), TeleRAT (used in the wild against Iranians, targets Android), IRRAT (used in the wild, targets Android), RAT-via-Telegram (available on GitHub, targets Windows), and Telegram-RAT (available on GitHub, targets Windows).
Distribution vector remains unknown
For now, the threat from T-RAT is relative low. It usually takes a few months before threat actors learn to trust a new commercial malware strain; however, Hahn believes the RAT is already gaining a following.
“There are regular uploads of new T-RAT samples to VirusTotal,” Hahn told ZDNet. “I would assume it is in distribution but have no further evidence of it.”
But T-RAT isn’t the only new RAT offered for sale these days. According to Recorded Future, there’s another new RAT advertised on hacking forums called Mandaryna.