Skip to main content

T-RAT Remote Access Trojan

T-RAT is a new remote access trojan that uses the Telegram secure messaging service to receive commands in order to evade traditional detection methods.

Threat ID:
CC-3654
Category:
Trojan
Threat Severity:
Medium
Published:
29 October 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

T-RAT is a new remote access trojan that uses the Telegram secure messaging service to receive commands in order to evade traditional detection methods.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in late September 2020, T-RAT is a commercial remote access trojan that uses Telegram channels in place of a more traditional server-based command and control infrastructure.

Delivery

As T-RAT is sold directly to affiliate users, they may delivery it in whatever manner they choose. At the time of publication, it has been observed being distributed both in spam email campaigns and through malvertising sites.

Both vectors drop an initial dropper package which is unique to each affiliate user. This dropper then connects to an attacker-controlled server to download and install the T-RAT executable.

Activities

Once installed, T-RAT will connect to a hard-coded URL that links to the attacker's Telegram channel where it will await further commands. By default, T-RAT is able to:

  • extract files and directories
  • navigate the affected file system
  • terminate process
  • disable taskbar and Task Manager
  • launch PowerShell terminals
  • initiate VNC sessions
  • copy content from the clipboard
  • log keystrokes and record audio from connected microphones
  • take screenshots
  • bypass UAC

 

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

URLs

  • hgfhhdsf.000webhostapp.com/1DJjnw[.]jpg
Host indicators

Filenames

  • sihost.exe

SHA256 hashes

  • 0388c08ae8bf8204ed609a4730a93a70612d99e66f1d700c2edfb95197ab7cc9
  • 27dcb69c1d010da7d1f359523b398e14e0af0dd5bad1a240734a31ffce8b9262
  • 912913d897dd2f969fbcbdb54dde82e54f287ade97725380232dce664417c46c
  • 96ba1d40eb85f60a20224e199c18126b160fe165e727b7dee268890dc5148c68
  • 9fe677aa81790414db3187bba2e159c5aafda6dc0411fbd5d4786b7e596143f3
  • ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
  • b6093289ff0470053bd7dde771fa3a6cd21dae99fc444bfebcd33eb153813263
  • c1316ac68d5f3f5ec080d09ffc7c52670a7c42672f0233b9ef50e4b739bd0586
  • c8164ccc0cf04df0f111d56d7fb717e6110f8dee77cfc3ef37507f18485af04d
  • dfa35a3bed8aa7e30e2f3ad0927fa69adecb5b6f4c8a8535b05c28eacbd0dad8
  • e7604cc2288b27e29f1c0b2aeade1af486daee7b5c17b0478ce336dcdbeee2f1

 

 

Last edited: 29 October 2020 3:56 pm