Positive Technologies discovered a spyware that attackers can use via the Telegram messaging app

TgRAT can take screenshots, upload files to a target host, and download data from the host to the C2 server

TgRAT, a malware that uses private chats in the Telegram messaging app, was discovered during an investigation by PT Expert Security Center (PT ESC)—Positive Technologies’ incident response team.

A study of the TgRAT source code revealed that the malware was developed to be used against specific devices from which attackers aimed to steal sensitive information. First, TgRAT checks the name of the host on which it is running. If the name does not match the value embedded in the program body, the malware stops.

At the time of the investigation, the TgRAT source code was not publicly available, so it would probably take time for antivirus tools to detect it on an infected host. To detect TgRAT, Positive Technologies recommends using traffic monitoring tools and paying attention to traffic coming from internal corporate infrastructure servers to Telegram servers. In addition, it is necessary to monitor data flow within the network. This will enable you to identify network tunnels and unusual communication between the servers. Finally, it is also vital to protect all infrastructure hosts with antivirus tools and use sandboxes.

Denis Goydenko, Head of PT Expert Security Center Threat Response, Positive Technologies, says: «Many companies use Telegram as a corporate messenger, prompting attackers to develop tools to exploit Telegram API to covertly manage backdoors and download sensitive information. One of the most effective approaches to detecting such leaks is to use antivirus software on all hosts, including servers, as well as deep traffic analysis (NTA) systems, sandboxes, and endpoint detection and response tools (EDR). Frankly, traffic from internal servers of a corporate infrastructure to Telegram servers is always a suspicious sign, and means that security service must be on its guard.»

Phishing remains one of the main ways for an attacker to penetrate the infrastructure. Users are advised not to open suspicious messages or follow unknown links. Don’t download software from suspicious sites and torrents; use licensed versions from trusted sources instead. Employees should be kept informed of all the latest phishing techniques and scams.