T-RAT 2.0: Malware control via smartphone

[harlan4096]

Malware sellers want to attract customers with convenience features. Now criminals can remote control malware during their bathroom routine by just using a smartphone and Telegram app.

Advertisments on Russian forums

The researcher @3xp0rtblog discovered T-RAT 2.0 and posted about it on Twitter, including a sample hash and selling threads on Russian forums. One extravagant advertisment is shown below.

The images below show a section each of a 1000x5429 advertisment banner posted on lolz.guru (found and reported by 3xp0rtblog). The Russian text praises comfort and convenience while using T-RAT because it can be controlled via smartphone with Telegram app.

Infection chain and persistence

The first known stage of infection is the downloader[sup][4][/sup]. It obtains an encrypted file[sup][6][/sup] from hxxps://hgfhhdsf.000webhostapp.com/1DJjnw(dot)jpg and saves it to  %TEMP%/gfdggfd.jpg.

For decrypting the payload, the downloader applies XOR with the key 0x01. The resulting file is a ZIP archive which it saves to %TEMP%/hrtghgesd​​​.zip. The downloader proceeds to delete %TEMP%/gfdggfd.jpg and extracts the ZIP archive. Sidenote: Both hardcoded names consist of characters whose keys are right besides each other on a QWERTY keyboard, so the threat actor likely just rolled a body part on the keyboard to create them.

The location of the extracted malware is determined as follows:

1) The downloader checks if the current user has administrator rights. If they have, the first part of the path is one of the following (chosen randomly)

• %APPDATA%\Microsoft\Windows\
  
• %USERPROFILE%\Windows\System32\
  
• %LOCALAPPDATA%\Microsoft\Windows\​​​​​​​​​​​
  

If they don't have administrator rights, the first part of the path is one of the following

• %SYSTEM%\Microsoft\Protect\
  
• %COMMONAPPDATA%\Microsoft\Windows\​​​​​​​​​
  
• %USERPROFILE%\AppData\LocalLow\Microsoft\Windows\​​​​​​​​​​​​
  
• C:\Windows\assembly\GAC\​​​​​​​​
  

2) For the second part of the malware path the downloader generates a random number between 347 and 568203, converts that to a string, then generates the hash either using MD5, SHA1 or SHA256. It uses the hash's hexadecimal representation as second part of the malware path.

The archive contains the actual T-RAT executable, named sihost.exe, as well as several DLLs that the RAT needs. Some notable libraries are the Telegram.Bot.dll and socks5.dll.

A subfolder named service contains six more files (hashes are in the IoC listing).

FilenameDescriptionconv.exeHigh Performance MPEG 1.0/2.0/2.5 Audio Playerin.exeRDP Wrapperultravnc.iniUltraVNC configuration filevnchooks.dllUltraVNC - VNCHooks DLLwinserv1.exeVNC Server 32 bitwinserv2.exeVNC Server 64 bit 

The downloader persists sihost.exe by scheduling a daily task. The name for the task is the processor ID of the system. If the current user has admin rights, it will set the run level to HIGHEST. Afterwards the downloader deletes itself with the help of a Batch file.
...

Continue Reading