T-RAT ! via Telegram with some $

Security researchers have discovered a new remote access trojan (RAT) being advertised on Underground hacking network.Named T-RAT, the malware is available for only $45 via a Telegram channel,. Access to the infected machine will be grabbed at lighting high speed before it gets detected

It supports commands like, when typed inside the main chat window, allow the RAT owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.

T-RAT owners can also deploy a clipboard hijacking mechanism that replaces strings that look like cryptocurrency and digital currency addresses with alternatives, allowing the attacker to hijack transactions for payment solutions like Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin, and Tron.

The RAT can also run terminal commands (CMD and PowerShell), block access to certain websites, kill processes , and even disable the taskbar and the task manager.

Distribution vector remains unknown
For now, the threat from T-RAT is relative low. It usually takes a few months before threat actors learn to trust a new commercial malware strain.

LatAM Banking Trojan

Mekotio banking Trojan, originally known for targeting banking customers in Chile, has been expanding its scope both geographically and tactically. Mekotio is the second banking malware observed doing this within this week.

Multiple, distinct malware families have havoced Latin American Banks for years – the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek.

Mekotio expands across Latin America

Mekotio Trojan operators have been regularly updating their malware to cover more financial organizations across several Latin American countries, as well some new enhancements have been observed recently.

  • Researcher found several variants of Mekotio Trojan that were registered to specifically target users in Spain. Besides normal banking services, it would also targeted e-banking users from a small set of countries.
  • The malware spreads through spam emails that use social engineering tactics, like impersonating the identity of government or private agencies to lure the users into clicking on malicious links included in the message body. 
  • Mekotio can steal banking credentials stored in some web browsers such as Google Chrome and Opera. Additionally, it has been updated with the functionality of replacing the bitcoin wallet addresses copied to the clipboard by the attacker’s wallet address.

Since its first detection in March 2018, Mekotio’s developers have been making gradual improvements in this Windows-based malware, which is developed in Embarcadero Delphi.

Current coverage

As of now, Mekotio malware has a presence in Chile (having the highest detection), followed by Brazil and Mexico (medium level of detection), and then Peru, Colombia, Argentina, Ecuador, and Bolivia.

Lauda (Loda) RAT

Lauda RAT is a RAT (Remote Access Trojan) that has been working as malware analysts in recent years and was first spotted back in 2017. The Lauda RAT is a simple RAT, but that does not mean that it cannot work. This trojan is written in the AutoIT programming language, which is not uncommon. Once the LODA RAT compromises a system, it is able to perform a long list of tasks.

Loda RAT appears to primarily target users in the United States, Central America, and South America. The creators of Loda RAT are promoting it through fake emails that link users to a link that will launch a fake page that relates to the attackers. This page hosts various macro-laced documents that are designed to target a known vulnerability – CVE-2017-11882. Upon infecting the target computer, Loda RAT will establish a connection with its operators’ C&C (Command and Control) server.

The abilities

Once the Loda RAT is successfully connected to the C&C server, it will wait for commands from the attackers. Lauda can collect information such as RAT password and login credentials. In addition to collecting login credentials, Loda RAT can also:

  • Take screenshots of the user’s desktop and active window.
  • Launch a keylogger that will collect keystrokes.
  • Use the victim’s microphone to record audio.

Recently, the creators of Loda RAT have updated this trojan to include several self-preservation features. Loda RAT code has been circumvented to avoid detection by anti-malware tools. Code bottlenecks make it even more difficult for cyber security researchers to study threats. Lauda can also scan processes running on the RAT compromised system and detect whether an anti-virus application is running. Loda RAT persistence on compromised computers using two common tricks:

  • It uses the Windows Task Scheduler to ensure that its components will start with Windows.
  • It inserts a new Autorun Windows registry key that commands Windows to execute Loda RAT at launch.

Alien RAT 👽 Banking Trojan

Alien RAT with 2FA-Stealing Technique
A new variant of Cerberus malware, which is available for rent on underground forums since January, has been found invading Android devices and targeting more than 200 applications.

The newly identified banking trojan called Alien shares several common capabilities with the Cerberus banking malware.

Researchers reported the Alien RAT targeting a list of at least 226 mobile applications, including banking apps such as BBVA Spain, Bank of America Mobile Banking, as well as a slew of collaboration and social networking apps such as Twitter, Snapchat, and Instagram.

It comes equipped with an advanced ability to bypass two-factor authentication (2FA) security measures to steal the victim’s credentials. The malware also abuses the TeamViewer application to gain full remote control over the victim’s devices.

Researchers speculate that Alien RAT is a fork of the Cerberus malware that has undergone a steady demise in use over the past year, and was up for sale in August. Besides having several common capabilities, there are a few notable differences.

Alien RAT has been implemented separately from the main command handler using different command-and-control (C2) endpoints.

Moreover, Alien’s 2FA-stealing technique is an additional feature than Cerberus’s capabilities.

More malware adding 2FA-bypass technique
Several attackers and malware operators have upgraded their malware and attack vectors to target the 2FA-bypass technique and carry out more successful attacks.

Banking trojans have been evolving with new and improved features to increase the success rate of fraud recently. Financial institutions are recommended to assess their current and future threat exposure and implement relevant detection and control mechanisms at the earliest.