TgRat, a Telegram-controlled trojan, was discovered attacking Linux servers in an attempt to steal data from a compromised system.
In 2022, the TgRat trojan was first identified.
Although the original version of the trojan was small and designed for Windows, the latest version uses the widely used messaging app Telegram to target Linux servers.
“The trojan is controlled through a private Telegram group to which the bot is connected. Using the messenger, attackers can issue commands to the trojan.
It can download files from a compromised system, take a screenshot, remotely execute a command, or upload a file as an attachment”, Dr. Web shared with Cyber Security News.
How the Telegram-Controlled Trojan Stealing Data?
Given the popularity of the Telegram application and the regular traffic to its servers, it is not unusual for threat actors to use it as a vector to distribute malware and steal sensitive data.
This is because it is simple to hide malware on a compromised network. The trojan is made to target particular computers; upon startup, it verifies the computer name’s hash with an embedded string.
If the values do not match, TgRat terminates the process. If not, it establishes a network connection and employs a peculiar approach to communicate with its control server, which is a Telegram bot.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Attackers can give commands to the trojan using the messenger. It can upload data as attachments, capture screenshots, remotely run commands, and download files from a hacked system.
Attackers issue commands to multiple bots, unlike their Windows counterparts. Researchers stated that this trojan used the bash interpreter to run commands and was encrypted using RSA, allowing the execution of entire scripts in a single message.
Because every trojan instance had a distinct ID, attackers could instruct several bots to join a single chat room by sending commands to each one of them.
Even though the trojan and control server’s method of interaction is unusual, the attack can be identified by closely examining network traffic.
While data exchange with Telegram’s servers may be commonplace for user computers, it is not conventional for a local network server.
It is challenging for victims to identify the infection because of this special control mechanism that allows attackers to send commands to the compromised system silently.
Therefore, it is advised to install antivirus software on every local network node to prevent infection.
you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access