- SafeGuard Cyber detected a trojan RAT posted to a discussion telegram channel in December 2021.
- Based on the manner in which it was posted, SafeGuard Cyber believes that is was not part of a coordinated campaign and was simply targeting new or naive users of the channel.
In December 2021, SafeGuard Cyber detected a Remote Access Trojan (RAT) being posted in a financial Telegram channel that we monitor as part of our work with digital currency financial services customers. We analyzed and identified the malware sample as a basic RAT and reviewed the messages surrounding the post.
SafeGuard Cyber believes that this was an isolated one-off incident meant to target new unsuspecting users of the channel.
- The handle "小强" (Chinese for “Cockroach”) was only used once on the channel and the only post it made was to post the RAT.
- The post did not appear to be a response to any of the surrounding messages in the channel.
- We did not see anyone respond to "小强 " or complain about the file, though this does not prove that users of the channel did not get infected.
When the file is executed, it runs consistently as a process with the description “Goodcsongvwaiting MFC Application”. While the malware is running, a TCP connection is opened up to 22.214.171.124 on a random high port. The activity seems to just be SYN send packets.
The sample immediately drops two PNG files and a copy of itself into the Appdata\Temp folder. The two PNG files are the same file as they have the same hash values. The PNG files do not have a valid file header and do not seem to have any interaction with the malware sample aside from being dropped from it. These two files may be used to quickly access and execute the parent file from the AppData directory. Additionally, the two files are filled with what appears to be random data, the files do not execute and no activity was seen.
The sample also creates two hidden folders, the parent folder being named C:\$MSIRecycle.Bin and a folder is created within named C:\$MSIRecycle.Bin\bnch. These folders are likely used as the main backdoor entry point by the attacker.
No further activity was found regarding this sample. The file is detected and deleted by Windows Defender as a Trojan:Win32/FarfliTI!MTB.
File Creation Date:
December 18, 2021
Malware Internal Name:
Malicious - Trojan Backdoor
This sample does not establish persistence
126.96.36.199 Port: Random High
- MD5 Hash: 5DB44DB23EF20C5E7052BA30B0402AE5
- MD5 Hash: 4240255EFCFB8432B22FEA58156E8FA1
- IP: 188.8.131.52
Second Dropped Folder
Inside Dropped Folder