Trojan RAT Detected on a Telegram Public Channel

Executive Summary

• SafeGuard Cyber detected a trojan RAT posted to a discussion telegram channel in December 2021.
• Based on the manner in which it was posted, SafeGuard Cyber believes that is was not part of a coordinated campaign and was simply targeting new or naive users of the channel.

Background

In December 2021, SafeGuard Cyber detected a Remote Access Trojan (RAT) being posted in a financial Telegram channel that we monitor as part of our work with digital currency financial services customers. We analyzed and identified the malware sample as a basic RAT and reviewed the messages surrounding the post. 

Event Analysis

SafeGuard Cyber believes that this was an isolated one-off incident meant to target new unsuspecting users of the channel.

• The handle "小强" (Chinese for “Cockroach”) was only used once on the channel and the only post it made was to post the RAT.
• The post did not appear to be a response to any of the surrounding messages in the channel.
• We did not see anyone respond to "小强 "  or complain about the file, though this does not prove that users of the channel did not get infected.

Malware Summary

When the file is executed, it runs consistently as a process with the description “Goodcsongvwaiting MFC Application”. While the malware is running, a TCP connection is opened up to 180.215.87.236 on a random high port. The activity seems to just be SYN send packets.

The sample immediately drops two PNG files and a copy of itself into the Appdata\Temp folder. The two PNG files are the same file as they have the same hash values. The PNG files do not have a valid file header and do not seem to have any interaction with the malware sample aside from being dropped from it. These two files may be used to quickly access and execute the parent file from the AppData directory. Additionally, the two files are filled with what appears to be random data, the files do not execute and no activity was seen.

The sample also creates two hidden folders, the parent folder being named C:\$MSIRecycle.Bin and a folder is created within named C:\$MSIRecycle.Bin\bnch. These folders are likely used as the main backdoor entry point by the attacker.

No further activity was found regarding this sample. The file is detected and deleted by Windows Defender as a Trojan:Win32/FarfliTI!MTB.

Technical Details

Filename: 
M09image_2021-12-22_18png.bat

File Creation Date:
December 18, 2021

Hashes:
MD5: 4240255efcfb8432b22fea58156e8fa1
SHA1: 199e2406f2440862078a9cd1d61d47ed7e1c7c47
SHA256: 72e79ad4f9b879e09a7e893aebc11c698fcfe870c8294d7ed8ac64eb59a6702c

Malware Internal Name:
Goodcsongvwaiting

Disposition:
Malicious - Trojan Backdoor

Dropped Files:
C:\Users\Username\AppData\Local\Temp\changbanma.png
MD5: 5DB44DB23EF20C5E7052BA30B0402AE5
SHA1: 30BD24725E9FC1225A074E2E8A9E897A9865F7BC

C:\Users\Username\AppData\Local\Temp\M09image_2021-12-22_18png.bat
MD5: 4240255EFCFB8432B22FEA58156E8FA1
SHA1: 199E2406F2440862078A9CD1D61D47ED7E1C7C47

C:\Users\Username\AppData\Local\Temp\meifannao.png
MD5: 5db44db23ef20c5e7052ba30b0402ae5
SHA1: 30bd24725e9fc1225a074e2e8a9e897a9865f7bc

Folders Added:
C:\$MSIRecycle.Bin
C:\$MSIRecycle.Bin\bnch

Persistence
This sample does not establish persistence

Network Traffic:
180.215.87.236   Port: Random High

IOCs

• MD5 Hash:  5DB44DB23EF20C5E7052BA30B0402AE5
• MD5 Hash:  4240255EFCFB8432B22FEA58156E8FA1
• IP: 180.215.87.236

Screenshots

Running Process

Dropped Files

Dropped Folder

Second Dropped Folder

Inside Dropped Folder

Defender Alert