Information Security
24 September 2019

Digital Forensics Tips&Tricks: Telegram IM-based RAT — Part I

Did you know that Telegram IM becomes more and more popular as a toolkit to make some illegal do's?
There are a lot of hidden channels and bots with different illegal and piracy content. I can suggest you an article where some of these points are described deeply.

But my point of interest is using Telegram as Remote Access Toolkit (RAT).

image

I see a potentially big field for attackers in this for at least 2 reasons:

  • Telegram is completely legal product and it's agent doesn't look suspicious for antivirus software

  • There is a lot of information about «How To Use Telegram as RAT» with detailed instructions on Youtube and other Internet resources

So, anyone can download it from Github or somewhere else and try to use IM as RAT

image

And here are some video manuals:

image

Ok, now you see — it's not so hard to download Telegram-based RAT and understand how to use it. Moreover — almost all of these projects use a Python code. So, anyone can compile a python code to .exe using tools like pyinstaller or kind of this.

On final you'll get — BOOM! — an executable RAT tool, which is undetectable for antiviruses!
Cool, heh?

Here are some capabilities of mvrozanti/RAT-via-Telegram for instance:

arp - display arp table
capture_pc - screenshot PC
cmd_exec - execute shell command
cp - copy files
cd - change current directory
delete - delete a file/folder
download - download file from target
decode_all - decode ALL encoded local files
dns - display DNS Cache
encode_all - encode ALL local files
freeze_keyboard - enable keyboard freeze
unfreeze_keyboard - disable keyboard freeze
get_chrome - Get Google Chrome's login/passwords
hear - record microphone
ip_info - via ipinfo.io
keylogs - get keylogs
ls - list contents of current or specified directory
msg_box - display message box with text
mv - move files
pc_info - PC information
ping - makes sure target is up
play - plays a youtube video
proxy - opens a proxy server
pwd - show current directory
python_exec - interpret python
reboot - reboot computer
run - run a file
schedule - schedule a command to run at specific time
self_destruct - destroy all traces
shutdown - shutdown computer
tasklist - display services and processes running
to - select targets by it's name
update - update executable
wallpaper - change wallpaper

An attacker can customize the RAT (change an icon, add a certificate etc), then compile and send it as a phishing email attachement. What's next? Anything!

Search for files (even on a network drives), execute apps and scripts, upload and download documents, receive a keylogs, blah-blah — anything!

Of course — an attacker needs the infected workstation has Internet access. But I think it's not a big deal for some reasons.

Ok, the main question is How To Detect a Telegram RAT had been used or it is using right now on the workstation?

1. Modern malwares mostly created for long-term exploitation of IT-infrastructure. So, try to find a persistance points. The common way is to check the autorun keys:

image

On this screenshot you see an application with Adobe icon but it has non-standard name and location — check it on Virustotal or related service if you found kind of this one.

By the way — this is the results of checking Telegram-based RAT executive file. As you see, just minor part of engines detected it as suspicious.

image

2. Since something strange was found in the autorun, the next obvious step is to check the process list. Well, here we've found this Adobe-like process with active network session:

image

Ok, let's check this IP address… And — BOOM! — it's a Telegram IP

image

3. How to find out the behaviour of this process? Try to use Process Monitor!

To get a more comfortable view don't forget to use filter by process & filesystem operations:

image

You can see a lot of different operations on files and folders and some filenames give us an important information about the process functions (win32clipboard.pyd).

Moreover, we noticed the active process creates a number of temporary python files — we can use this knowledge further, during the investigation process.

image

4. For instance, two ways to understand what date when RAT was started first time:


image

  • Check the processes' network usage statistics from SRUM using NetworkUsageView

image

Ok, now you have the exact date and may continue your investigation to understand where this file came from: check a browsers history, check whether the email attachments were opened and executed on this period etc

Thank you again for attention! I'll be back soon with a new good stuff!

+6
1k 3
Comments 2
Top of the day