AT&T has spotted a new Remote Access Trojan (RAT) that it has called FatalRAT. The malware is spreading across a range of forums and Telegram channels. The malware link is hidden in download links to software and media articles. FatalRAT is a sophisticated piece of malware both in its behaviour and the capabilities that it offers an attacker.
AT&T has released the details of FatalRAT in a blog written by Ofer Caspi and Javi Ruiz. It says: “Analyzed samples are capable of performing defense evasion techniques, obtaining system persistence, logging user keystrokes, collecting system information, exfiltrating over encrypted command and control (C&C) channel.”
FatalRAT carries out significant tests before install
One thing that marks out FatalRAT is the number of tests that it carries out before it installs on a victims machine. In the blog, Caspi and Ruiz show how it enumerates the technical specification of the target machine. It also searches for the existence of virtual machines and the Windows registry. The check for virtual machines is likely to ensure that it has not been downloaded into a sandbox.
Assuming that the target passes all the tests, FatalRAT starts its installation process. The malware uses a range of encrypted configuration strings. To infect a machine, it has to decrypt these. The first allows it to establish a connection with its command and control (C&C) server. From there, it creates the malware name, a service name and then configures other settings.
Of interest is that FatalRAT prevents the user from locking the local machine. Finally, it installs a keylogger. Surprisingly, it is only at this point that the researchers say it looks for security products installed on the target computer.
What does FatalRAT do once installed?
The two researchers detail a list of commands that they have observed FatalRAT executing once installed. One of its primary functions is to spread itself across the network by brute-forcing passwords. Reading the blog, it seems that FatalRAT uses a very limited password list that relies on exceptionally weak passwords. It also has a limited number of user names containing some strange entries such as love, yeah, money and alex.
FatalRAT targets different browsers and searches through the target machine for those browsers that are installed. According to the researchers: “Some of these routines include deleting user info for specific browsers (Edge, 360Secure Browser, QQBrowser, SogouBrowser, and Firefox). For Chrome, it will query for user info and then delete the content. Deleting saved information will force the user to input, for example, user and password which the malware can capture with its keylogger. “
In addition to this activity, the researchers say they have found the following commands:
- Keylogger
- Change resolution
- Uninstall UltraViewer
- Download and install AnyDesk
- Execute shell commands
- Modify registry keys
- Download and execute a file
Enterprise Times: What does this mean?
Anti-sandbox checks, obfuscation, verification of system resources and collecting system data are signs of sophisticated malware. But with everything it has, it is strange that FatalRAT has such a poor user and password list for brute force attacks. It may be that it downloads a more sophisticated set of files once established on the local computer, and the researchers did not see this.
The success of FatalRAT across Telegram shows how people stop thinking about security when it comes to online communication platforms. The researchers say that users shouldn’t click on links or install software from unknown sources. If only it were that easy. If the links are hidden inside media sources, as suggested, then people will click, thinking that the link is trusted.
The researchers say they are already seeing variants appearing in their samples. What will be interesting is to see just how many new features is adds over time.