# New sophisticated RAT in town: FatalRat analysis **[cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis](https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis)** [1. AT&T Cybersecurity](https://cybersecurity.att.com/) [2. Blog](https://cybersecurity.att.com/blogs) August 2, 2021 | [Ofer Caspi](https://cybersecurity.att.com/blogs/author/ofer-caspi) _This blog was written by Ofer Caspi and Javi Ruiz._ ## Summary AT&T Alien Labs™ has recently observed the presence of a new remote access trojan (RAT) malware in its threat analysis systems. The malware, known as FatalRAT (Firstly [named by](https://urldefense.com/v3/__https://twitter.com/c3rb3ru5d3d53c/status/1396821380256178179__;!!BhdT!0VBQ4oPQtWljVtTRSQfB5C_O6U46lbDFbQBZM068w7b7wckv_yV2zHNmEGV5XQ%24) [@c3rb3ru5d3d53c), appears to be distributed via forums and Telegram channels, hidden in](https://twitter.com/LittleRedBean2/status/1391012054228742148) download links that attempt to lure the user via software or media articles. ## Key takeaways: AT&T Alien Labs performed a malware analysis of the FatalRAT threat. We have observed a new spreading mechanism via Telegram channels. Analyzed samples are capable of performing defense evasion techniques, obtaining system persistence, logging user keystrokes, collecting system information, exfiltrating over encrypted command and control (C&C) channel. ## Analysis ----- FatalRAT is a remote access trojan with a wide set of capabilities that can be executed remotely by an attacker. The malware runs several tests before fully infecting a system, checking the existence of multiple virtual machine products, disk space, number of physical [processors, and more (T1497.001).](https://attack.mitre.org/techniques/T1497/001/) Figure 1. AntiVM techniques from a system report. One of the tests run by FatalRAT involves checking for existence of virtual machine services, as shown in figure 2. Figure 2. AntiVM techniques includes searching for services. Another includes querying the registry, as shown in figure 3. ----- Figure 3. AntiVM techniques - registry check. If the machine passes the malware AntiVM tests, FatalRAT will then starts its malicious activity. [First, it decrypts each of the configuration strings separately (T1027). These configuration](https://attack.mitre.org/techniques/T1027/) strings include the Command and Control (C&C) address, new malware file name, service name, and other settings. Figure 4. Decrypting configuration strings. Figure 5 shows the routine used by FatalRAT for decrypting strings. ----- Figure 5. Strings decryption routine. The malware will disable the ability to lock the computer by using CTRL+ALT+DELETE. For this purpose, the registry key DisableLockWorkstation is set to “1” as shown in figure 6 [(T1112).](https://attack.mitre.org/techniques/T1112/) Figure 6. Disable computer lockdown. [After the computer lockdown is disabled, the malware activates a keylogger (T1056.001).](https://attack.mitre.org/techniques/T1056/001/) See figure 7. Figure 7. FatalRat keylogger. ----- [FatalRat can persist either by modifying the registry (T1547.001) or by creating a new](https://attack.mitre.org/techniques/T1547/001/) [service (T1569.002). If persistence is done by modifying the registry, it will create the value](https://attack.mitre.org/techniques/T1569/002/) 'Software\Microsoft\Windows\CurrentVersion\Run\SVP7' to execute the malware at boot time. When using setting service for persistence, FatalRat will retrieve the description from its configuration as seen above in figure 4. Figure 8. FatalRat registry persistence. [The malware collects information from an infected machine and sends it to the C&C (T1020),](https://attack.mitre.org/techniques/T1020/) as shown in figure 9. This includes external IP address, username, and other information about the victim. Additionally, as a defense evasion technique, FatalRAT identifies all security products running on the machine by iterating through all running processes and searching for the [existence of a predefined list of security products (T1562.001), as shown in figure 10.](https://attack.mitre.org/techniques/T1562/001/) Figure 9. Collecting information. ----- Figure 10. Security product process search. Furthermore, to make it easier for the attacker to detect which security products are installed, it will convert the process name above to a product name before sending the list to the C&C. See figure 11. Figure 11. Security product process to name. ----- To communicate back to the C&C, the malware uses an arithmetic routine to encrypt the data sent between the victim and the attacker. This encryption includes a one-byte XOR key and [the addition of a constant to the obtained value (121 in this case) (T1573.001). See figure 12.](https://attack.mitre.org/techniques/T1573/001/) Figure 12. C&C communication decrypting routine. The encrypted message is then sent to the C&C as seen in the config from figure 4 through port 8081. Figure 13. Encrypted communication between infected host and C&C. The malware then waits for the attacker’s commands, of which it supports a wide range. For example, it has several routines to handle different browsers. Some of these routines include deleting user info for specific browsers (Edge, 360Secure Browser, QQBrowser, SogouBrowser, and Firefox). For Chrome, it will query for user info and then delete the content. Deleting saved information will force the user to input, for example, user and [password which the malware can capture with its keylogger. (T1119)](https://attack.mitre.org/techniques/T1119/) ----- Figure 14. Parsing C&C command. Some of the commands FatalRat supports are shown below. Spreading itself on the victim network by brute-forcing weak passwords through IPC$. If successful, the malware copies itself to the dedicated folder as %Folder%\hackshen.exe and will execute the copied file remotely. See figures 15-17. ----- Figure 15. Weak user and password for brute force. Figure 16. Brute force loop. ----- Figure 17. Copy and execute remote computer on successful brute-force attack. Either steal stored data (for chrome for example) or delete saved information with a handler for different browsers. See figure 18. Figure 18. Malware handlers for different browser. FatalRat also includes additional commands, for the following: Keylogger ----- Change resolution Uninstall UltraViewer Download and install AnyDesk Execute shell commands Modify registry keys Download and execute a file Figure 19. More available commands. ## Recommended actions 1. Do not click links or install software from unknown sources. 2. Install an antivirus and keep your system updated. 3. Always use an endpoint detection and response (EDR) solution or enable system log monitoring to allow SIEM correlation. 4. Monitor network traffic to command and control (C&C) patterns. ## Conclusion The newly identified FatalRat malware has been using techniques like obfuscation, antisandbox and antivirus evasion, encrypted configurations, logging user keystrokes, system persistence, login brute force, collection of system data, and encrypted communications with command and control server. Alien Labs has discovered multiple samples in the past few months, with a slight dip in July. However, we expect to continue to see the presence of FatalRat and its variants in our samples in the near future. AT&T Alien Labs will continue to monitor this threat and update intelligence as activity emerges. ## Detection methods ----- The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. SURICATA IDS SIGNATURES ``` alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN FatalRAT CnC Request"; flow:established,to_server; dsize:300<>500; content:"|BF BC 95|"; startswith; content:"|8D 8E 8E 5E 90 8E 8E 2C 1B 80 8E E6 02 A7 6D FC C6 00 06 4F 0E 97|"; distance:1; within:22; threshold:type limit, count 1, seconds 3600, track by_src; reference:md5,99fc53d3d4c2c31fd5b5f0f15dbdeab4; classtype:trojan-activity; sid:4002633; rev:1;) ``` ``` 2033093: ET TROJAN FatalRAT CnC Activity ``` YARA RULES ----- ``` rule FatalRAT_unpacked { meta: author = "AT&T Alien Labs" sha256 = "ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56" type = "malware" description = "Detects FatalRAT, unpacked malware." copyright = "Alienvault Inc. 2021" strings: $decrypt_func = {EC 0F B6 45 10 99 B9 AB 05 00 00 56 F7 F9 8B 75 0C 80 C2 3D 85 F6 76 0F 8B 45 08 8A 08 32 CA 02 CA 88 08 40 4E 75 F4 5E 5D C3} $s1 = "SVP7-Thread running..." $s2 = "nw_elf.dll" condition: uint16(0) == 0x5a4d and all of them } ``` ## Associated Indicators of Compromise (IOCs) The following technical indicators are associated with the reported intelligence. A list of [indicators is also available in the OTX Pulse. Please note, the pulse may include other](https://otx.alienvault.com/pulse/60f02d70854fe24789907049) activities related but out of the scope of the report. TYPE INDICATOR SHA256 e52af19dce25d51f9cf258613988b8edc583f7c7e134d3e1b834d9aab9c7c4c4 SHA256 dc026cd76891d1f84f44f6789ac0145a458e2c704a7bc50590ec08966578edb3 ----- SHA256 cb450f82c49eadd597a87645f9f30c52c03c6ed9425386af5b321664fe3a6da0 SHA256 210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd SHA256 34f37327a0154d644854a723e0557c733931e2366a19bdb4cfe6f6ae6770c50f SHA256 ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56 SHA256 b01719e59675236df1a0e1a78cdd97455c0cf18426c7ec0f52df1f3a78209f65 SHA256 72cd668d9bc442f522556807390d4f7e32966bef20ef1a831bf36a5ab213191e SHA256 1cabdb7ab1cbd0526498d15839c780850a41a8c917b65581fad9e7dbdedd5e0f SHA256 5453911d6f597d65ab542ec25723a7d87b2292c2e2a52a40d3a32032f6117acd SHA256 826d07108a1223140e6a58b44722404009ac2e82df0acfd7d1f5bf29b56526b6 SHA256 337841b5ade52ba853a30eb8ab04dede64d89808893fb6e0412247950295152 SHA256 17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734 IP ADDRESS 103.119.44[.]152 IP ADDRESS 103.119.44[.]93 IP ADDRESS 103.119.44[.]100 ## Mapped to MITRE ATT&CK [The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:](https://attack.mitre.org/) ----- TA0001: Initial Access T1566: Phishing T1566.002: Spearphishing Link TA0005: Defense Evasion T1027: Obfuscated Files or Information T1027.002: Software Packing T1497: Virtualization/Sandbox Evasion T1497.001: System Checks T1112: Modify Registry T1562: Impair Defenses T1562.001: Impair Defenses: Disable or Modify Tools TA0002: Execution T1569: System Services T1569.002: Service Execution TA0009: Collection T1056: Input Capture T1056.001: Keylogging T1119: Automated Collection TA0010: Exfiltration T1020: Automated Exfiltration TA0011: Command and Control T1573: Encrypted Channel T1573.001: Encrypted Channel: Symmetric Cryptography ### Share this with others Tags: [malware,](https://cybersecurity.att.com/blogs/tag/malware) [yara,](https://cybersecurity.att.com/blogs/tag/yara) [alien labs,](https://cybersecurity.att.com/blogs/tag/alien+labs) [otx,](https://cybersecurity.att.com/blogs/tag/otx) [otx pulse,](https://cybersecurity.att.com/blogs/tag/otx+pulse) [brute force attack,](https://cybersecurity.att.com/blogs/tag/brute+force+attack) [remote access trojan,](https://cybersecurity.att.com/blogs/tag/remote+access+trojan) [fatalrat,](https://cybersecurity.att.com/blogs/tag/fatalrat) [weak passwords](https://cybersecurity.att.com/blogs/tag/weak+passwords) -----