Cybercriminals Exploit Telegram to Deploy ResokerRAT, a Stealthy Remote Access Trojan
A newly identified remote access trojan (RAT) named ResokerRAT is leveraging Telegram’s bot API to infiltrate and control Windows systems covertly. This malware circumvents traditional command-and-control (C2) infrastructures by utilizing a widely trusted messaging platform, thereby complicating detection efforts for standard network security tools.
Delivery and Execution
ResokerRAT is disseminated through an executable file named Resoker.exe. Upon execution, the malware operates silently in the background, establishing persistence, requesting elevated privileges, and preparing to execute remote commands.
K7 Security Labs analysts have observed that one of the malware’s initial actions is creating a mutex called Global\ResokerSystemMutex using the Windows CreateMutexW API. This mutex ensures that only one instance of the malware runs on the system at any given time. Additionally, ResokerRAT employs the IsDebuggerPresent function to detect the presence of debugging tools. If a debugger is detected, the malware triggers a custom exception to disrupt analysis attempts.
To gain higher system privileges, the malware attempts to relaunch itself with administrator rights using the ShellExecuteExA function with the runas option. If successful, the original process terminates, and the elevated process continues its operations. In cases where this elevation fails, the malware reports the error back through the Telegram bot. Furthermore, ResokerRAT scans for and terminates processes associated with analysis tools such as Task Manager (Taskmgr.exe), Process Explorer (Procexp.exe), and Process Hacker (ProcessHacker.exe) using the TerminateProcess function.
Persistence Mechanisms
ResokerRAT employs several techniques to maintain a foothold on the infected system:
– Registry Modification: Upon receiving the /startup command from the attacker, the malware writes its executable path to the Windows registry under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` with the key name Resoker. This modification ensures that the malware launches automatically with each system startup. A confirmation message stating Added to startup is then sent back to the attacker.
– Scheduled Tasks: The malware can create scheduled tasks that execute at specified intervals, allowing it to re-establish itself if removed.
– Service Installation: ResokerRAT has the capability to install itself as a system service, ensuring it runs with elevated privileges and starts automatically.
Command-and-Control via Telegram
The most distinctive feature of ResokerRAT is its use of Telegram’s Bot API for C2 communication. This approach offers several advantages to the attackers:
– Evasion of Detection: By using a legitimate and widely used platform like Telegram, the malware’s network traffic blends with normal user activity, making it less likely to be flagged by security solutions.
– Reliability: Telegram’s robust infrastructure ensures reliable delivery of commands and exfiltration of data.
– Anonymity: Attackers can maintain anonymity by operating through Telegram bots, which can be created with minimal personal information.
ResokerRAT constructs URLs using hardcoded bot tokens and chat IDs to continuously poll Telegram for new instructions. Before transmitting collected data, the malware encodes the content using URL encoding to evade network filters. This recurring traffic pattern has been confirmed through network capture analysis.
Capabilities and Impact
ResokerRAT is equipped with a range of functionalities that enable comprehensive control over the infected system:
– Screenshot Capture: The malware can capture screenshots of the victim’s desktop, providing attackers with visual insights into the user’s activities.
– File Download and Execution: It can download additional payloads or updates from remote servers and execute them on the compromised machine.
– System Information Gathering: ResokerRAT collects detailed information about the system, including operating system version, installed software, and hardware specifications.
– Process Management: The malware can list, start, and terminate processes, allowing attackers to control running applications and services.
– Command Execution: It can execute arbitrary commands received from the attacker, providing a versatile platform for various malicious activities.
– Security Feature Manipulation: ResokerRAT can disable Windows security prompts and block user access to diagnostic tools like Task Manager, hindering detection and removal efforts.
Mitigation and Recommendations
To protect against threats like ResokerRAT, users and organizations should implement the following measures:
– Verify Software Sources: Only download software from official and reputable sources. Be cautious of unsolicited emails or messages containing attachments or links.
– Regular Software Updates: Keep operating systems and applications up to date to patch known vulnerabilities that malware may exploit.
– Endpoint Protection: Deploy comprehensive endpoint security solutions that can detect and block malicious activities.
– Network Monitoring: Monitor network traffic for unusual patterns, such as unexpected communications with external servers or platforms like Telegram.
– User Education: Educate users about the risks of downloading and executing unknown files and the importance of cybersecurity hygiene.
By adopting these practices, individuals and organizations can enhance their defenses against sophisticated malware threats like ResokerRAT.
