See figure 7.įatalRat can persist either by modifying the registry ( T1547.001) or by creating a new service ( T1569.002). For this purpose, the registry key DisableLockWorkstation is set to “1” as shown in figure 6 ( T1112).Īfter the computer lockdown is disabled, the malware activates a keylogger ( T1056.001). The malware will disable the ability to lock the computer by using CTRL+ALT+DELETE. Decrypting configuration strings.įigure 5 shows the routine used by FatalRAT for decrypting strings. These configuration strings include the Command and Control (C&C) address, new malware file name, service name, and other settings.įigure 4. If the machine passes the malware AntiVM tests, FatalRAT will then starts its malicious activity.įirst, it decrypts each of the configuration strings separately ( T1027). AntiVM techniques includes searching for services.Īnother includes querying the registry, as shown in figure 3.įigure 3. One of the tests run by FatalRAT involves checking for existence of virtual machine services, as shown in figure 2.įigure 2. The malware runs several tests before fully infecting a system, checking the existence of multiple virtual machine products, disk space, number of physical processors, and more ( T1497.001).įigure 1. Analyzed samples are capable of performing defense evasion techniques, obtaining system persistence, logging user keystrokes, collecting system information, exfiltrating over encrypted command and control (C&C) channel.įatalRAT is a remote access trojan with a wide set of capabilities that can be executed remotely by an attacker.We have observed a new spreading mechanism via Telegram channels.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |