Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,059
- Points
- 113
The Trojan that allows operators to remotely access the target device is distributed via Telegram channels. According to researchers from AT&T Alien Labs, users may stumble upon links to download malware in news channels dedicated to the software.
According to the report of experts, RAT malware under the name FatalRAT can be launched on the victim's device remotely, as well as bypass security measures.
Once in the system, FatalRAT records keystrokes, collects information about the OS and transmits all data to operators via an encrypted channel. Over the past few months, experts from AT&T Alien Labs have observed the use of the Trojan in real attacks, but they have not yet been able to determine even an approximate number of victims of the malware.
One way or another, Telegram channels help FatalRAT reach a large audience of potential targets. As a reminder, unlike groups in Telegram channels, only their administrators can post messages, so all responsibility for the spread of the malware lies solely with them.
Before completely infecting the system, FatalRAT performs a series of checks: the malware tries to calculate the virtual machine, count the number of physical processes and determine the available disk space.
In addition, the Trojan completely disables the ability to use the CTRL + ALT + DELETE command, for which the value of the DisableLockWorkstation registry key is changed. After that, the malware launches a keylogger.
FatalRAT tries to determine which anti-virus programs are running on the attacked system, while in parallel it pulls information from browsers. Moreover, the Trojan can spread over the victim's network using brute force.
A source
