Telegram channels have become quite the hot seat for threat actors. Lately, a new Remote Access Trojan (RAT) has entered the landscape, propagating via Telegram channels.

What’s going on?

Dubbed FatalRAT, the trojan is being disseminated via media articles or software download links on Telegram. These messages can be sent only by the admins of the channels. The RAT is capable of gaining persistence, evading detection, collecting system information, and exfiltrating data.

Why it matters

  • The RAT can establish persistence either by creating a new service or modifying the existing registry.
  • It pilfers confidential data through an encrypted C2 channel. The information includes external IP addresses, usernames, and other information.
  • The malware can delete user information from specific web browsers - Firefox, Chrome, Edge, QQBrowser, 360Secure Browser, and SogouBrowser.

Why Telegram?

Apart from FatalRAT, Telegram has been leveraged by XCSSET and Toxic Eye malware recently. The main reason for cybercriminals exploiting Telegram boils down to the app being a legitimate and stable app that is not blocked by network management tools or antivirus software. In addition to this, it enables threat actors to stay anonymous as all need for registration is a phone number. 

The bottom line

This new FatalRAT sports various malicious functionalities—obfuscation, antivirus evasion, anti-sandbox evasion, and encrypted communications—which make it a significant threat. Experts surmise that this trojan and its various samples will propagate further in the near future. Hence, follow cybersecurity hygiene and stay safe.

Cyware Publisher

Publisher

Cyware