Malware Analysis T-RAT 2.0: Malware control via smartphone

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
My analysis on T-RAT has been published. It took quite some time because the RAT has 98 commands, all of which are listed in the appendix of the article.

Malware sellers want to attract customers with convenience features. Now criminals can remote control malware during their bathroom routine by just using a smartphone and Telegram app.

The researcher @3xp0rtblog discovered T-RAT 2.0 and posted about it on Twitter, including a sample hash and selling threads on Russian forums. One extravagant advertisment is shown below.
[...]
The Russian text praises comfort and convenience while using T-RAT because it can be controlled via smartphone with Telegram app.


TRAT_SellPhotopt2.png
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Hello,
Just wondering..."The downloader persists sihost.exe by scheduling a daily task". I have a HIPS software that notify me if a program makes new task scheduler entry. So if i block that scheduling entry, does it make whole T-Rat unusable?

Kind regards,
-sepik
 

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
Hello,
Just wondering..."The downloader persists sihost.exe by scheduling a daily task". I have a HIPS software that notify me if a program makes new task scheduler entry. So if i block that scheduling entry, does it make whole T-Rat unusable?

Kind regards,
-sepik

For this specific sample, you will prevent peristence by the downloader.
The malware will get downloaded and executed, but if you now restart your system, the attacker cannot connect to the malware since it isn't running.
Now it depends if the attacker used the time between infection and restart to persist T-RAT in a different way.
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
"It is very difficult to analyze this virus, because all 9Kb of its code are full of program traps hampering a trace, disassembling and analysis the virus. If the virus listing is to be printed, you should check a dozen special programming methods (dynamic de/enciphering, dummies, use of conveyor, code cipher nesting and so on). As a file is infected, the encrypted virus body is written to it so as a decipher should check 30 variants. That is, you have to use 30 masks to find the virus in the file."

There's a lot of other strange things what this virus can do, above one is basics one what this virus can do.
This virus was back in time (1990 era) is most sophisticated virus ever made and nowadays, it's still not properly reversed what it actually do. It's an art of coding and one of the parasitic/mutation viruses ever made.

For me, it's an art.

Kind regards,
-sepik
 
  • Like
Reactions: Protomartyr

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top