AT&T Alien Labs has released a report detailing a new remote access trojan (RAT) that is circulating online. By its name FatalRAT, its goal is to distribute compromised links on Telegram channels.

What Is a RAT?

According to our glossary, a RAT is a trojan that chooses a victim and gains access to their privileged rights, thus allowing hackers to have unrestricted control over a computer. The main goal of such malware is data exfiltration and can infect other devices too.

How Does the FatalRAT Work?

Following the report’s description, FatalRAT takes actions using the bellow pattern:

  • In the initial stage of the attack, FatalRAT engages in running various tests.
  • The tests’ goal is to find products of the virtual machine, gain knowledge of how many physical processors it has and also verify the disk space.
  • The point when it initializes its malicious task is when AntiVM tests are passed by the machine.
  • The configuration strings that contain the C2 address, the new malware, and the service name are decrypted separately.
  • Then, if a user wants to use the registry key DisableLockWorkstation to lock the device through CTRL+ALT+DELETE he cannot do it. This way, FatalRAT makes a keylogger active.
  • The victim’s information is sent to the C2 server, but before reaching the servers, the hacker makes use of a defense evasion technique to identify the machine’s security products.
  • The data sent to the C2 is encrypted and distributed via port 8081. Then the hackers should just run the command.

What Damages Can the Trojan Cause?

FatalRAT can be responsible for a series of malicious activities’ results. According to, it can be deployed remotely, take advantage of the defense evasion method described above, have the capabilities to persist in the system, gain access to users’ keystrokes. Also, shell commands can be performed, registry keys can be changed and it can also easily execute files. All these with the goal to gather and retrieve system confidential data through a command-and-control channel that is encrypted.

Alien Labs Security Researcher Ofer Caspi declared that:

FatalRAT can persist either by modifying the registry or by creating a new service. If persistence is done by modifying the registry, it will create the value ‘SoftwareMicrosoftWindowsCurrentVersionRunSVP7’ to execute the malware at boot time. When using setting service for persistence, FatalRat will retrieve the description from its configuration.


Telegram: Target of Cyberattacks

It’s not the first time Telegram is targeted by malware.

Let’s remember the Toxic Eye Rat back in April, when threat actors used Telegram, the software and application service for cloud-based instant messaging, to distribute Toxic Eye via phishing e-mails. When the victims downloaded the malicious file embedded in the attachment, Toxic Eye could compromise the device.

Or when the macOS Malware stole Google Chrome Info and Telegram Accounts. The pattern was similar to this case of FatalRAT. Sensitive data was collected and sent to a remote command-and-control server.

Why Is Telegram a Target for Malware?

FatalRAT, Toxic Eye, macOS Malware, and maybe many more malware take advantage of the Telegram App. But why is it so easy to be exploited? A reason could be that

Telegram is a legitimate, easy-to-use, and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools. Attackers can remain anonymous as the registration process requires only a mobile number.


A MacOS Malware Is Stealing Telegram Accounts and Google Chrome Data

ToxicEye RAT Exploits Telegram Communications to Steal Users’ Data

What is a Remote Access Trojan (RAT)?

ObliqueRAT Infiltrates into Victims’ Endpoints Using Malicious Documents

Leave a Reply

Your email address will not be published. Required fields are marked *