Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,200
- Points
- 113
The TgRAT malware is written for a specific computer, and closed chats in Telegram become control channels. The malware was discovered by Positive Technologies experts. The virus can download files, take screenshots of the screen, and” put " the device to sleep.
Many companies use Telegram as a corporate messenger. Cybercriminals have figured out how to use the Telegram API to secretly manage backdoors and upload confidential information.
The new TgRAT malware penetrates the computer and immediately checks the name of the host on which it is running. If the data does not match the value embedded in the program body, TgRAT exits. This conclusion was reached by analysts of Positive Technologies, after studying the source code of the new virus.
The analysis showed that the payload file is a small RAT that uses Telegram as a control server. It is a closed group in the messenger, communication is carried out using the Telegram API.
The chat token and ID for communication can be read from a file named token.sys, which should be located in the folder with the malware. If there is no file, the program uses the token and ID that are contained in the code.
After establishing a connection, the malware receives command names and arguments (if necessary).
Experts pay attention to the format of storing and executing commands. At the stage of initializing the necessary parameters, variables, and libraries, TgRAT forms a data structure of a certain type, identical to map.
This structure stores, in addition to service fields, pointers to functions that will be responsible for executing commands. It is used for mapping the command name that comes from the control server (Telegram chat) to the function.
The spy virus executes commands:
* getting information about the infected computer; connecting (bind) to a specific group in Telegram,
* service connection error message;
* self-completion (kill);
* save the message as a file;
* self-updating; shell launch;
* run the command in the shell and save the result as a file;
* start the process; sleep for a certain amount of time;
* restart the bot; download a file; screenshot.
Despite the fact that hackers use legitimate protocols to manage their tools and upload data, this attack can be easily detected with a minimal level of traffic monitoring, experts say.
At the same time, Positive Technologies says, at the time of the investigation, the TgRAT source code was not available in public sources, and so far the malware can not be detected by antivirus tools.
---
Doctor Web analysts have identified the Linux version of the well-known Trojan TgRat, which is used for targeted attacks. One of the notable features of this malware is that it is controlled by a Telegram bot.
Originally written for Windows, TgRat was discovered back in 2022. It was a small malicious program created for specific devices from which attackers planned to steal confidential information.
Then the researchers said that TgRat uses Telegram as a management server. The server was a closed group in messenger, and communication was carried out using the Telegram API (library github.com/wrwrabbit/telegram-bot-api-go).
As now reported in Doctor Web, the Linux-adapted version of TgRat was discovered during an incident investigation, a request for which was received from an unnamed company providing hosting services. The company's antivirus software detected a suspicious file on the server of one of the clients, and this file turned out to be a Trojan dropper, which was unpacked to the target TgRat system (Linux.BackDoor.TgRat.2).
The new version of malware was also created for attacks on specific machines: when launched, it checks the hash of the machine name with a string embedded in the Trojan's body. If the values do not match, TgRat terminates its process. In case of successful launch, the Trojan connects to the network and implements a scheme for interacting with its control server, which is a Telegram bot.
The Trojan is managed through a closed group in the messenger that the Telegram bot is connected to. Using the messenger, attackers can issue commands to malware: for example, download files from a compromised system, take a screenshot, execute a command remotely, or upload a file using attachments.
Unlike the Windows version, the trojan's code is encrypted using RSA, and the bash interpreter was used to execute commands, which allowed you to execute entire scripts within a single message. Each instance of the Trojan has its own identifier, so attackers could send commands to multiple bots by connecting them all to the same chat.
The researchers note that such an attack can be detected by careful analysis of network traffic. After all, data exchange with Telegram servers is typical for user computers, but not for servers on the local network.
• Source: https://news.drweb.ru
Many companies use Telegram as a corporate messenger. Cybercriminals have figured out how to use the Telegram API to secretly manage backdoors and upload confidential information.
The new TgRAT malware penetrates the computer and immediately checks the name of the host on which it is running. If the data does not match the value embedded in the program body, TgRAT exits. This conclusion was reached by analysts of Positive Technologies, after studying the source code of the new virus.
The analysis showed that the payload file is a small RAT that uses Telegram as a control server. It is a closed group in the messenger, communication is carried out using the Telegram API.
The chat token and ID for communication can be read from a file named token.sys, which should be located in the folder with the malware. If there is no file, the program uses the token and ID that are contained in the code.
After establishing a connection, the malware receives command names and arguments (if necessary).
Experts pay attention to the format of storing and executing commands. At the stage of initializing the necessary parameters, variables, and libraries, TgRAT forms a data structure of a certain type, identical to map.
This structure stores, in addition to service fields, pointers to functions that will be responsible for executing commands. It is used for mapping the command name that comes from the control server (Telegram chat) to the function.
The spy virus executes commands:
* getting information about the infected computer; connecting (bind) to a specific group in Telegram,
* service connection error message;
* self-completion (kill);
* save the message as a file;
* self-updating; shell launch;
* run the command in the shell and save the result as a file;
* start the process; sleep for a certain amount of time;
* restart the bot; download a file; screenshot.
Despite the fact that hackers use legitimate protocols to manage their tools and upload data, this attack can be easily detected with a minimal level of traffic monitoring, experts say.
At the same time, Positive Technologies says, at the time of the investigation, the TgRAT source code was not available in public sources, and so far the malware can not be detected by antivirus tools.
---
Doctor Web analysts have identified the Linux version of the well-known Trojan TgRat, which is used for targeted attacks. One of the notable features of this malware is that it is controlled by a Telegram bot.
Originally written for Windows, TgRat was discovered back in 2022. It was a small malicious program created for specific devices from which attackers planned to steal confidential information.
Then the researchers said that TgRat uses Telegram as a management server. The server was a closed group in messenger, and communication was carried out using the Telegram API (library github.com/wrwrabbit/telegram-bot-api-go).
As now reported in Doctor Web, the Linux-adapted version of TgRat was discovered during an incident investigation, a request for which was received from an unnamed company providing hosting services. The company's antivirus software detected a suspicious file on the server of one of the clients, and this file turned out to be a Trojan dropper, which was unpacked to the target TgRat system (Linux.BackDoor.TgRat.2).
The new version of malware was also created for attacks on specific machines: when launched, it checks the hash of the machine name with a string embedded in the Trojan's body. If the values do not match, TgRat terminates its process. In case of successful launch, the Trojan connects to the network and implements a scheme for interacting with its control server, which is a Telegram bot.
The Trojan is managed through a closed group in the messenger that the Telegram bot is connected to. Using the messenger, attackers can issue commands to malware: for example, download files from a compromised system, take a screenshot, execute a command remotely, or upload a file using attachments.
Unlike the Windows version, the trojan's code is encrypted using RSA, and the bash interpreter was used to execute commands, which allowed you to execute entire scripts within a single message. Each instance of the Trojan has its own identifier, so attackers could send commands to multiple bots by connecting them all to the same chat.
The researchers note that such an attack can be detected by careful analysis of network traffic. After all, data exchange with Telegram servers is typical for user computers, but not for servers on the local network.
• Source: https://news.drweb.ru
