Digital Forensics Tips&Tricks: Telegram IM-based RAT — Part I
There are a lot of hidden channels and bots with different illegal and piracy content. I can suggest you an article where some of these points are described deeply.
But my point of interest is using Telegram as Remote Access Toolkit (RAT).
I see a potentially big field for attackers in this for at least 2 reasons:
- Telegram is completely legal product and it's agent doesn't look suspicious for antivirus software
- There is a lot of information about «How To Use Telegram as RAT» with detailed instructions on Youtube and other Internet resources
So, anyone can download it from Github or somewhere else and try to use IM as RAT
And here are some video manuals:
Ok, now you see — it's not so hard to download Telegram-based RAT and understand how to use it. Moreover — almost all of these projects use a Python code. So, anyone can compile a python code to .exe using tools like pyinstaller or kind of this.
On final you'll get — BOOM! — an executable RAT tool, which is undetectable for antiviruses!
Here are some capabilities of mvrozanti/RAT-via-Telegram for instance:
arp - display arp table capture_pc - screenshot PC cmd_exec - execute shell command cp - copy files cd - change current directory delete - delete a file/folder download - download file from target decode_all - decode ALL encoded local files dns - display DNS Cache encode_all - encode ALL local files freeze_keyboard - enable keyboard freeze unfreeze_keyboard - disable keyboard freeze get_chrome - Get Google Chrome's login/passwords hear - record microphone ip_info - via ipinfo.io keylogs - get keylogs ls - list contents of current or specified directory msg_box - display message box with text mv - move files pc_info - PC information ping - makes sure target is up play - plays a youtube video proxy - opens a proxy server pwd - show current directory python_exec - interpret python reboot - reboot computer run - run a file schedule - schedule a command to run at specific time self_destruct - destroy all traces shutdown - shutdown computer tasklist - display services and processes running to - select targets by it's name update - update executable wallpaper - change wallpaper
An attacker can customize the RAT (change an icon, add a certificate etc), then compile and send it as a phishing email attachement. What's next? Anything!
Search for files (even on a network drives), execute apps and scripts, upload and download documents, receive a keylogs, blah-blah — anything!
Of course — an attacker needs the infected workstation has Internet access. But I think it's not a big deal for some reasons.
Ok, the main question is How To Detect a Telegram RAT had been used or it is using right now on the workstation?
1. Modern malwares mostly created for long-term exploitation of IT-infrastructure. So, try to find a persistance points. The common way is to check the autorun keys:
On this screenshot you see an application with Adobe icon but it has non-standard name and location — check it on Virustotal or related service if you found kind of this one.
By the way — this is the results of checking Telegram-based RAT executive file. As you see, just minor part of engines detected it as suspicious.
2. Since something strange was found in the autorun, the next obvious step is to check the process list. Well, here we've found this Adobe-like process with active network session:
Ok, let's check this IP address… And — BOOM! — it's a Telegram IP
3. How to find out the behaviour of this process? Try to use Process Monitor!
To get a more comfortable view don't forget to use filter by process & filesystem operations:
You can see a lot of different operations on files and folders and some filenames give us an important information about the process functions (win32clipboard.pyd).
Moreover, we noticed the active process creates a number of temporary python files — we can use this knowledge further, during the investigation process.
4. For instance, two ways to understand what date when RAT was started first time:
- Check the system prefetch list using WinPrefetchView
- Check the processes' network usage statistics from SRUM using NetworkUsageView
Ok, now you have the exact date and may continue your investigation to understand where this file came from: check a browsers history, check whether the email attachments were opened and executed on this period etc
Thank you again for attention! I'll be back soon with a new good stuff!