struppigel

Moderator
Verified
Staff member
My analysis on T-RAT has been published. It took quite some time because the RAT has 98 commands, all of which are listed in the appendix of the article.

Malware sellers want to attract customers with convenience features. Now criminals can remote control malware during their bathroom routine by just using a smartphone and Telegram app.

The researcher @3xp0rtblog discovered T-RAT 2.0 and posted about it on Twitter, including a sample hash and selling threads on Russian forums. One extravagant advertisment is shown below.
[...]
The Russian text praises comfort and convenience while using T-RAT because it can be controlled via smartphone with Telegram app.


 

struppigel

Moderator
Verified
Staff member
Hello,
Just wondering..."The downloader persists sihost.exe by scheduling a daily task". I have a HIPS software that notify me if a program makes new task scheduler entry. So if i block that scheduling entry, does it make whole T-Rat unusable?

Kind regards,
-sepik

For this specific sample, you will prevent peristence by the downloader.
The malware will get downloaded and executed, but if you now restart your system, the attacker cannot connect to the malware since it isn't running.
Now it depends if the attacker used the time between infection and restart to persist T-RAT in a different way.
 

sepik

Level 10
"It is very difficult to analyze this virus, because all 9Kb of its code are full of program traps hampering a trace, disassembling and analysis the virus. If the virus listing is to be printed, you should check a dozen special programming methods (dynamic de/enciphering, dummies, use of conveyor, code cipher nesting and so on). As a file is infected, the encrypted virus body is written to it so as a decipher should check 30 variants. That is, you have to use 30 masks to find the virus in the file."

There's a lot of other strange things what this virus can do, above one is basics one what this virus can do.
This virus was back in time (1990 era) is most sophisticated virus ever made and nowadays, it's still not properly reversed what it actually do. It's an art of coding and one of the parasitic/mutation viruses ever made.

For me, it's an art.

Kind regards,
-sepik
 
Top