The malware will disable the ability to lock the computer by using CTRL+ALT+DELETE. Decrypting configuration strings.įigure 5 shows the routine used by FatalRAT for decrypting strings. These configuration strings include the Command and Control (C&C) address, new malware file name, service name, and other settings.įigure 4. If the machine passes the malware AntiVM tests, FatalRAT will then starts its malicious activity.įirst, it decrypts each of the configuration strings separately ( T1027). AntiVM techniques includes searching for services.Īnother includes querying the registry, as shown in figure 3.įigure 3. One of the tests run by FatalRAT involves checking for existence of virtual machine services, as shown in figure 2.įigure 2. The malware runs several tests before fully infecting a system, checking the existence of multiple virtual machine products, disk space, number of physical processors, and more ( T1497.001).įigure 1. Analyzed samples are capable of performing defense evasion techniques, obtaining system persistence, logging user keystrokes, collecting system information, exfiltrating over encrypted command and control (C&C) channel.įatalRAT is a remote access trojan with a wide set of capabilities that can be executed remotely by an attacker.We have observed a new spreading mechanism via Telegram channels.AT&T Alien Labs performed a malware analysis of the FatalRAT threat.The malware, known as FatalRAT (Firstly named by appears to be distributed via forums and Telegram channels, hidden in download links that attempt to lure the user via software or media articles. SummaryĪT&T Alien Labs™ has recently observed the presence of a new remote access trojan (RAT) malware in its threat analysis systems. This blog was written by Ofer Caspi and Javi Ruiz.
0 Comments
Leave a Reply. |