T-RAT 2.0: Malware control via smartphone

Malware sellers want to attract customers with convenience features. Now criminals can remote control malware during their bathroom routine by just using a smartphone and Telegram app.

Advertisments on Russian forums

The researcher @3xp0rtblog discovered T-RAT 2.0 and posted about it on Twitter, including a sample hash and selling threads on Russian forums. One extravagant advertisment is shown below.

The images below show a section each of a 1000×5429 advertisment banner posted on lolz.guru (found and reported by 3xp0rtblog). The Russian text praises comfort and convenience while using T-RAT because it can be controlled via smartphone with Telegram app.

Infection chain and persistence

The first known stage of infection is the downloader[4]. It obtains an encrypted file[6] from hxxps://hgfhhdsf.000webhostapp.com/1DJjnw(dot)jpg and saves it to  %TEMP%/gfdggfd.jpg.

For decrypting the payload, the downloader applies XOR with the key 0x01. The resulting file is a ZIP archive which it saves to %TEMP%/hrtghgesd​​​.zip. The downloader proceeds to delete %TEMP%/gfdggfd.jpg and extracts the ZIP archive. Sidenote: Both hardcoded names consist of characters whose keys are right besides each other on a QWERTY keyboard, so the threat actor likely just rolled a body part on the keyboard to create them.

The location of the extracted malware is determined as follows:

1) The downloader checks if the current user has administrator rights. If they have, the first part of the path is one of the following (chosen randomly)

  • %APPDATA%\Microsoft\Windows\
  • %USERPROFILE%\Windows\System32\
  • %LOCALAPPDATA%\Microsoft\Windows\​​​​​​​​​​​

If they don’t have administrator rights, the first part of the path is one of the following

  • %SYSTEM%\Microsoft\Protect\
  • %COMMONAPPDATA%\Microsoft\Windows\​​​​​​​​​
  • %USERPROFILE%\AppData\LocalLow\Microsoft\Windows\​​​​​​​​​​​​
  • C:\Windows\assembly\GAC\​​​​​​​​

2) For the second part of the malware path the downloader generates a random number between 347 and 568203, converts that to a string, then generates the hash either using MD5, SHA1 or SHA256. It uses the hash’s hexadecimal representation as second part of the malware path.

The archive contains the actual T-RAT executable, named sihost.exe, as well as several DLLs that the RAT needs. Some notable libraries are the Telegram.Bot.dll and socks5.dll.

A subfolder named service contains six more files (hashes are in the IoC listing):

FilenameDescription
conv.exeHigh Performance MPEG 1.0/2.0/2.5 Audio Player
in.exeRDP Wrapper
ultravnc.iniUltraVNC configuration file
vnchooks.dllUltraVNC – VNCHooks DLL
winserv1.exeVNC Server 32 bit
winserv2.exeVNC Server 64 bit

The downloader persists sihost.exe by scheduling a daily task. The name for the task is the processor ID of the system. If the current user has admin rights, it will set the run level to HIGHEST. Afterwards the downloader deletes itself with the help of a Batch file.

Content of ZIP archive [3]
Content of service folder in ZIP archive [3]

Packer and obfuscator

The original T-RAT sample[1] as well as the downloader[4] are .NET assemblies and packed the same way. The packed part is embedded as base64 string in the overlay of the file. Beginning and end of the strings are marked by the sequence „ghjghjbnv“. The packer stub searches the sequence to find the packed image, decodes the base64 string and dynamically loads the resulting .NET assembly.

The base64 string with marker sequence in a hex editor
PortexAnalyzer visualization makes the base64 string visible as blue area in the byteplot.

The unpacked .NET assemblies[2][4] are obfuscated with a variant of ConfuserEx. Some Russian strings are visible but most of the referenced strings are base64 encoded.

After deobfuscating the assembly with NoFuserEx, the base64 encoded strings remain. I wrote a small Python script to do the rest (see Appendix A). It replaces the IL code for calls to FromBase64String with NOPs and replaces the base64 strings with their decoded counterparts. Since the decoded strings are shorter, the remainder is filled with U+200B which is the zero width space Unicode character. (Sidenote: this is a rather lazy solution which does not create a perfectly working executable but is good enough for continuing static analysis.)

The most time-intensive part of deobfuscation for this assembly cannot be automated. The symbol names for methods and classes were eradicated by the obfuscator. So while analysing the code of T-RAT, I added my own names along the way. The code base is comparably on the large side with 98 different commands to control the T-RAT client.

T-RAT sample before and after manual deobfuscation

Functionality overview

The attacker controls T-RAT via Telegram using text based commands and command buttons provided by the RAT. The commands are in English, the help messages mostly Russian. One section of the advertisment banner demonstrates the controls and how they look like on the phone (see picture below).

MORE HERE