English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    ICS/SCADA

    Critical infrastructure on the frontline

    Vulnerability Management

    Stop being an easy target

    Financial Services

    Can your security keep up with you?

    Protection from targeted attacks (anti-apt)

    Early detection, rapid investigation

    PT Industrial Cybersecurity Suite

    PT ICS is an integrated platform for cyberthreat detection and response in industrial systems

    Utilities

    Industrial-grade cybersecurity

    ERP Security

    Take control of your ERP security

    Security Compliance

    Turn policies into protection

    View all →
  • Products
    MaxPatrol 8

    Vulnerability and compliance management system.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT Network Attack Discovery

    NDR system to detect attacks on the perimeter and inside the network.

    PT Sandbox

    Advanced sandbox with customizable virtual environments

    XSpider

    Vulnerability scanner.

    MaxPatrol VM

    Next-generation vulnerability management system.

    MaxPatrol SIEM All-in-One

    Full-featured SIEM for mid-sized IT infrastructures.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT BlackBox

    Dynamic application security testing tool

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    ATM Security Assessments

    Uncover Your Weaknesses

    Web Application Security Services

    Black Box and White Box Analysis

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Penetration Testing

    A Comprehensive Approach

    Forensic Investigation Services

    Prevent Future Incidents

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    View all →
  • Analytics
    Threatscape
    PT ESC Threat Intelligence
    Cybersecurity glossary
    Knowledge base
    View all →
  • Partners
    Authorized Partners
    Distributors
    Technology Partners
    View all →
  • About
    Clients
    Press
    News
    Events
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • PT ESC Threat Intelligence
  • TgRAT

TgRAT

Published on 6 December 2022

Introduction

During an investigation, Positive Technologies Expert Security Center (PT ESC) discovered a hacking toolkit that used the Telegram messaging app to manage backdoors. To penetrate the network and move laterally within it, attackers used both known malware, such as Impacket, Mimikatz, and network traffic tunneling tools (Chisel1, dnscat22, Gost3, and others), and new, less widespread malware, such as remote access Trojans that use Telegram API to download data. Malware analysis was performed by the cyberthreat research team (PT ESC).

TgRAT dropper

At the first stage, the dropper checks the parameters (arguments) used for its launch: this impacts the intermediate persistence stage. If there are input arguments, the add_payload stage begins (named after the function that performs it). If there are none, initialization and persistence occur. The dropper then:

  1. Installs itself during startup with the " -install=false " parameter (Figure 1).
  2. Forms the name of the file with the payload (parses the path and the name of the current process, modifies this path and substitutes the name of the payload embedded in code).
  3. Decrypts the binary data contained in the program body using the AES algorithm in CTR mode (the initialization vector is embedded in the program body).
  4. Writes the decrypted data to the file and transfers control to the payload.
Dropper persistence
Figure 1. Dropper persistence

TgRAT backdoor

The payload file is a small RAT using Telegram as a C2 server. The server is a private Telegram chat, and the communication happens using Telegram API (github.com/wrwrabbit/telegram-bot-api-go library). We observed several modifications of this malware that differ in architecture; nevertheless, their functionality is the same.

At the very beginning, the RAT checks the name of the host on which it is running. If the name does not match the value embedded in the program body, the malware stops. It is clear that the malware was developed specifically for specific computers.

The token and the communication chat ID can be read from the token.sys file, which is supposed to be in the same directory as the malware. If there is no file, the malware uses the token and ID embedded in the code (Figure 2).

Communication parameters
Figure 2. Communication parameters

After the connection is established, the malware obtains the command names and arguments (if necessary).

The format of storing and executing commands is particularly interesting. During the initialization of parameters, variables, and libraries, the malware forms a structure of specific data, identical to a/the map (Figure 3).

Format of storing pointers to command handler functions
Figure 3. Format of storing pointers to command handler functions

In addition to service fields, this structure stores pointers to the functions that will be used for command execution. The structure is used to map the command name that comes from the C2 server (Telegram chat) to the function.

The malware receives the command name and then, using methods of accessing the structure described above, gets the address of the handler function (the pfn_CmdFunc_handler variable in Figure 4). Next, the malware calls this function.

Obtaining the address of the handler function and calling of this function
Figure 4. Obtaining the address of the handler function and calling of this function

The analysis of the initialization code of the structure containing the addresses of functions and their names made it much easier to identify the types of commands executed by the malware, including:

  • Obtaining the information about the infected computer (see Figure 5)
  • Connection (bind) to a particular Telegram chat; connection error message
  • Self-termination (kill <PID>)
  • Saving a message as a file
  • Self-updating
  • Shell launch
  • Executing the command in the shell and saving the result as a file
  • Starting a process
  • Sleep during a certain time
  • Bot reset
  • File download
  • Taking a screenshot
Information being collected
Figure 5. Information being collected

Conclusions

Even though hackers use legitimate protocols to manage their tools and load data, this attack can be easily detected with minimal traffic monitoring. To protect against this attack, it is necessary to:

  • Protect all hosts, including servers, with antivirus software: hackers continue to use common tools that any antivirus tool can easily handle.
  • Monitor traffic from the servers on the Internet at the perimeter. In most infrastructures, traffic transfer from internal servers to Telegram servers is suspicious.
  • Monitor traffic within the network. This will enable you to identify network tunnels and unusual communication between the servers.
  1. https://github.com/jpillora/chisel
  2. https://github.com/iagox86/dnscat2
  3. https://github.com/go-gost/gost
Related articles
  • May 18, 2020 IronPython, darkly: how we uncovered an attack on government entities in Europe
  • April 27, 2021 Lazarus Group Recruitment: Threat Hunters vs Head Hunters
  • May 22, 2020 Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2
Share:
Link copied
Related articles
September 30, 2021

Masters of Mimicry: new APT group ChamelGang and its arsenal

May 26, 2020

Operation TA505: twins. Part 4

June 16, 2020

Cobalt: tactics and tools update

All articles
Solutions
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Protection from targeted attacks (anti-apt)
  • PT Industrial Cybersecurity Suite
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol 8
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Network Attack Discovery
  • PT Sandbox
  • XSpider
  • MaxPatrol VM
  • MaxPatrol SIEM All-in-One
  • PT MultiScanner
  • PT BlackBox
Services
  • ICS/SCADA Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • PT ESC Threat Intelligence
  • Cybersecurity glossary
  • Knowledge base
Partners
  • Authorized Partners
  • Distributors
  • Technology Partners
About
  • Clients
  • Press
  • News
  • Events
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
Find us:
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap