T-RAT ! via Telegram with some $

Security researchers have discovered a new remote access trojan (RAT) being advertised on Underground hacking network.Named T-RAT, the malware is available for only $45 via a Telegram channel,. Access to the infected machine will be grabbed at lighting high speed before it gets detected

It supports commands like, when typed inside the main chat window, allow the RAT owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.

T-RAT owners can also deploy a clipboard hijacking mechanism that replaces strings that look like cryptocurrency and digital currency addresses with alternatives, allowing the attacker to hijack transactions for payment solutions like Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin, and Tron.

The RAT can also run terminal commands (CMD and PowerShell), block access to certain websites, kill processes , and even disable the taskbar and the task manager.

Distribution vector remains unknown
For now, the threat from T-RAT is relative low. It usually takes a few months before threat actors learn to trust a new commercial malware strain.

Gravity RAT , affects mobile devices

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

The malware researchers found the new Android GravityRAT sample in 2019.The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server.The C&C server was also associated with other two malicious apps targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation an proceed to contaminate.

What peculiar about this Gravity RAT , not only infects Windows, now with Android , IOS devices too

Slothful media , Alert by DOD & DHS 👹

The DOD and DHS have released a joint security advisory regarding a new malware dubbed “SlothfulMedia”, which is beeing used in ongoing attacks.

SlothfulMedia is an information-stealer capable of logging keystrokes of victims and modifying files, which “has been used by a sophisticated cyber actor.” The two agencies did not reveal the name of the threat actor in question.

The report also does not mention the scope of the attacks, or targeted countries, but, the malicious campaign has been aimed at targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine.

The SlothfulMedia malware deploys two files when executed. The first file is a remote access tool (RAT) named mediaplayer.exe, which is designed for command and control (C2) of victim computer systems. The RAT is able to to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It communicates with its command and control server using Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).

The second file deletes the dropper after the RAT gains persistence on the victim system using the “Task Frame” service, which ensures that the RAT is loaded after reboot.

They uploaded the malware sample to the malware-sharing repository on VirusTotal.