Malware Analysis T-RAT 2.0: Malware control via smartphone

struppigel

struppigel

Super Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
667
My analysis on T-RAT has been published. It took quite some time because the RAT has 98 commands, all of which are listed in the appendix of the article.

Malware sellers want to attract customers with convenience features. Now criminals can remote control malware during their bathroom routine by just using a smartphone and Telegram app.
Click to expand...

The researcher @3xp0rtblog discovered T-RAT 2.0 and posted about it on Twitter, including a sample hash and selling threads on Russian forums. One extravagant advertisment is shown below.
[...]
The Russian text praises comfort and convenience while using T-RAT because it can be controlled via smartphone with Telegram app.
Click to expand...


TRAT_SellPhotopt2.png
 
  • +Reputation
  • Like
  • Applause
Reactions: ForgottenSeer 89360, Protomartyr, upnorth and 6 others
sepik

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Hello,
Just wondering..."The downloader persists sihost.exe by scheduling a daily task". I have a HIPS software that notify me if a program makes new task scheduler entry. So if i block that scheduling entry, does it make whole T-Rat unusable?

Kind regards,
-sepik
 
  • Like
Reactions: Protomartyr, upnorth, struppigel and 1 other person
struppigel

struppigel

Super Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
667
sepik said:
Hello,
Just wondering..."The downloader persists sihost.exe by scheduling a daily task". I have a HIPS software that notify me if a program makes new task scheduler entry. So if i block that scheduling entry, does it make whole T-Rat unusable?

Kind regards,
-sepik
Click to expand...

For this specific sample, you will prevent peristence by the downloader.
The malware will get downloaded and executed, but if you now restart your system, the attacker cannot connect to the malware since it isn't running.
Now it depends if the attacker used the time between infection and restart to persist T-RAT in a different way.
 
  • Like
  • +Reputation
Reactions: Protomartyr, upnorth and sepik
sepik

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
"It is very difficult to analyze this virus, because all 9Kb of its code are full of program traps hampering a trace, disassembling and analysis the virus. If the virus listing is to be printed, you should check a dozen special programming methods (dynamic de/enciphering, dummies, use of conveyor, code cipher nesting and so on). As a file is infected, the encrypted virus body is written to it so as a decipher should check 30 variants. That is, you have to use 30 masks to find the virus in the file."

There's a lot of other strange things what this virus can do, above one is basics one what this virus can do.
This virus was back in time (1990 era) is most sophisticated virus ever made and nowadays, it's still not properly reversed what it actually do. It's an art of coding and one of the parasitic/mutation viruses ever made.

For me, it's an art.

Kind regards,
-sepik
 
  • Like
Reactions: Protomartyr

Similar threads

silversurfer
    • Like
    • Wow
Cybercriminals Using Telegram Messenger to Control ToxicEye Malware
Replies
0
Views
1,512
News Archive
silversurfer
silversurfer
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
13,858
Other security for Windows, Mac, Linux
Warencom
W
J
    • Like
BBSRAT Attack Analysis
Replies
0
Views
6,135
Malware Analysis Archive
JM Safe
J

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top