New Malware “FatalRAT” Using Telegram Channels to Move About

[silversurfer]

Content source

https://www.technadu.com/theres-a-new-fatalrat-in-town-using-telegram-channels-to-move-about/293257/

• A new powerful and sophisticated malware named “FatalRAT” has appeared in the wild, spreading on Telegram.
• The RAT can detect where it’s running, what security tools are deployed, and what browsers it needs to target.
• The main goal is to exfiltrate credentials from the victims using a keylogger and encrypted communications.

A new malware called “FatalRAT” has appeared in the wild. It is a very sophisticated remote access tool that can perform a wide range of evasion, persistence, logging, and info-collecting tasks. The discovery was the work of AT&T Alien Labs, which sampled the malware and analyzed it thoroughly. For now, there has been no specific attribution for the campaign that distributes the new RAT, but AT&T’s report does contain indicators of compromise, such as C2 IP addresses.

FatalRAT starts its execution by running several pre-injection tests to confirm that it’s not running inside of an analyst’s virtual machine. If it confirms that it’s not, it decrypts its configuration strings and connects to the command and control address. After that, the malware performs a registry key edit to disable the ability to lock the computer, and then a keylogger is activated. The persistence is achieved either by a second registry modification or by creating a new service set to initiate upon system boot. The malware also checks if any security products are running on the device.

There's a New "FatalRAT" in Town Using Telegram Channels to Move About

A new powerful and sophisticated malware named "FatalRAT" is spreading on Telegram, exfiltrating credentials using a keylogger and encrypted communications.

www.technadu.com

 

[upnorth]

Very well written and easy to understand report from the researcher Ofer Caspi at Alien Labs. Thanks for the share @silversurfer