G DATA specialists published a report about the new T-RAT malware, which is being distributed for only $ 45. The main feature of the malware is that T-RAT allows you to control infected systems through the Telegram channel, and not through the web administration panel, as is usually the case.
Malware creators claim that this provides faster and easier access to infected computers from anywhere, and allows them to quickly steal data. However, T-RAT can also be controlled by more traditional methods, via RDP and VNC.
The T-RAT Telegram channel supports 98 commands that allow you to extract passwords and cookies from the browser, navigate the victim's file system and search for confidential data, deploy a keylogger, secretly record sound through the device microphone, take screenshots of the victim's desktop, take snapshots via the web. camera and capture the contents of the clipboard.
In addition, T-RAT owners can use a special mechanism for capturing data from the clipboard, which replaces strings similar to addresses of cryptocurrency and electronic wallets with the addresses of attackers. This allows you to successfully intercept Qiwi, WMR, WMZ, WME, WMX, Yandex.Money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin and Tron transactions.
The malware is also capable of working with terminal commands (CMD and PowerShell), blocking the victim's access to certain sites (for example, antivirus and technical support sites), eliminating specific processes (disabling security and debugging software), and even deactivating the Taskbar and Task Manager.
Experts from G DATA write that T-RAT is just one of many malware families that are equipped with the ability to control via Telegram, and this is not the first RAT to operate on such a model. So, similar functionality is possessed by: RATAttack (aimed at Windows), HeroRAT (aimed at Android), TeleRAT (used mainly against users from Iran, aimed at Android), IRRAT (aimed at Android), RAT-via-Telegram (available at GitHub, targeting Windows users) and Telegram-RAT (available on GitHub, targeting Windows users).
“New T-RAT samples are regularly uploaded to VirusTotal. I assume that it is actively spreading, although I have no direct evidence of this, ”says company expert Karsten Hahn.