Digital Forensics Tips&Tricks: Telegram IM-based RAT — Part I

    Did you know that Telegram IM becomes more and more popular as a toolkit to make some illegal do's?
    There are a lot of hidden channels and bots with different illegal and piracy content. I can suggest you an article where some of these points are described deeply.

    But my point of interest is using Telegram as Remote Access Toolkit (RAT).


    I see a potentially big field for attackers in this for at least 2 reasons:

    • Telegram is completely legal product and it's agent doesn't look suspicious for antivirus software

    • There is a lot of information about «How To Use Telegram as RAT» with detailed instructions on Youtube and other Internet resources

    So, anyone can download it from Github or somewhere else and try to use IM as RAT


    And here are some video manuals:


    Ok, now you see — it's not so hard to download Telegram-based RAT and understand how to use it. Moreover — almost all of these projects use a Python code. So, anyone can compile a python code to .exe using tools like pyinstaller or kind of this.

    On final you'll get — BOOM! — an executable RAT tool, which is undetectable for antiviruses!
    Cool, heh?

    Here are some capabilities of mvrozanti/RAT-via-Telegram for instance:

    arp - display arp table
    capture_pc - screenshot PC
    cmd_exec - execute shell command
    cp - copy files
    cd - change current directory
    delete - delete a file/folder
    download - download file from target
    decode_all - decode ALL encoded local files
    dns - display DNS Cache
    encode_all - encode ALL local files
    freeze_keyboard - enable keyboard freeze
    unfreeze_keyboard - disable keyboard freeze
    get_chrome - Get Google Chrome's login/passwords
    hear - record microphone
    ip_info - via
    keylogs - get keylogs
    ls - list contents of current or specified directory
    msg_box - display message box with text
    mv - move files
    pc_info - PC information
    ping - makes sure target is up
    play - plays a youtube video
    proxy - opens a proxy server
    pwd - show current directory
    python_exec - interpret python
    reboot - reboot computer
    run - run a file
    schedule - schedule a command to run at specific time
    self_destruct - destroy all traces
    shutdown - shutdown computer
    tasklist - display services and processes running
    to - select targets by it's name
    update - update executable
    wallpaper - change wallpaper

    An attacker can customize the RAT (change an icon, add a certificate etc), then compile and send it as a phishing email attachement. What's next? Anything!

    Search for files (even on a network drives), execute apps and scripts, upload and download documents, receive a keylogs, blah-blah — anything!

    Of course — an attacker needs the infected workstation has Internet access. But I think it's not a big deal for some reasons.

    Ok, the main question is How To Detect a Telegram RAT had been used or it is using right now on the workstation?

    1. Modern malwares mostly created for long-term exploitation of IT-infrastructure. So, try to find a persistance points. The common way is to check the autorun keys:


    On this screenshot you see an application with Adobe icon but it has non-standard name and location — check it on Virustotal or related service if you found kind of this one.

    By the way — this is the results of checking Telegram-based RAT executive file. As you see, just minor part of engines detected it as suspicious.


    2. Since something strange was found in the autorun, the next obvious step is to check the process list. Well, here we've found this Adobe-like process with active network session:


    Ok, let's check this IP address… And — BOOM! — it's a Telegram IP


    3. How to find out the behaviour of this process? Try to use Process Monitor!

    To get a more comfortable view don't forget to use filter by process & filesystem operations:


    You can see a lot of different operations on files and folders and some filenames give us an important information about the process functions (win32clipboard.pyd).

    Moreover, we noticed the active process creates a number of temporary python files — we can use this knowledge further, during the investigation process.


    4. For instance, two ways to understand what date when RAT was started first time:


    • Check the processes' network usage statistics from SRUM using NetworkUsageView


    Ok, now you have the exact date and may continue your investigation to understand where this file came from: check a browsers history, check whether the email attachments were opened and executed on this period etc

    Thank you again for attention! I'll be back soon with a new good stuff!

    Комментарии 2

      Breaking news! Hackers use TCP/IP for crimes.
      Telegram is just a tool. The same like a hammer. You can kill someone with a hammer or do something useful.
      An attacker can customize the RAT (change an icon, add a certificate etc), then compile and send it as a phishing email attachement.

      We can't defend ourselves from this shit.
        Yes, you can do something useful, of course.
        Buhtrap cyberteam were using a Teamviewer and PuntoSwitcher for their RAT. Does it mean that you do not need to know how to search and find these modules during the investigation?

      Только полноправные пользователи могут оставлять комментарии. Войдите, пожалуйста.

      Самое читаемое