T-RAT Malware Uses Telegram for Remote Control

By Riley ThompsonTechnology News

New T-RAT Malware Can Be Controlled via Telegram

Security experts from G DATA have published a report on a new piece of malware called T-RAT, which is being sold for just $45. The main feature of this malware is that T-RAT allows attackers to control infected systems through a Telegram channel, rather than the more common web-based admin panels.

The creators of T-RAT claim that this approach provides faster and easier access to compromised computers from anywhere, enabling quick data theft. However, T-RAT can also be controlled using more traditional methods, such as RDP and VNC.

Features and Capabilities

The T-RAT Telegram channel supports 98 commands, allowing attackers to:

  • Extract passwords and cookies from browsers
  • Navigate the victim’s file system and search for confidential data
  • Deploy a keylogger
  • Secretly record audio through the device’s microphone
  • Take screenshots of the victim’s desktop
  • Capture images via the webcam
  • Intercept clipboard contents

Additionally, T-RAT includes a special mechanism to capture clipboard data, replacing strings that resemble cryptocurrency or e-wallet addresses with those belonging to the attacker. This allows successful interception of transactions involving Qiwi, WMR, WMZ, WME, WMX, Yandex.Money, Payeer, credit cards, BTC, BTCG, Ripple, Dogecoin, and Tron.

Additional Functions

The malware can also execute terminal commands (CMD and PowerShell), block the victim’s access to certain websites (such as antivirus or tech support sites), terminate specific processes (disabling security and debugging software), and even deactivate the Taskbar and Task Manager.

Other Telegram-Controlled RATs

G DATA experts note that T-RAT is just one of many malware families equipped with Telegram-based control, and it is not the first RAT to use this model. Similar functionality can be found in:

  • RATAttack (targeting Windows)
  • HeroRAT (targeting Android)
  • TeleRAT (mainly used against users in Iran, targeting Android)
  • IRRAT (targeting Android)
  • RAT-via-Telegram (available on GitHub, targeting Windows users)
  • Telegram-RAT (available on GitHub, targeting Windows users)

“New T-RAT samples are regularly uploaded to VirusTotal. I suspect it is being actively distributed, although I don’t have direct evidence of this,” said G DATA expert Karsten Hahn.

Leave a Reply