Triton RAT Uses Telegram for Remote System Access and Control

Cado Security Labs has uncovered a new Python-based Remote Access Tool (RAT) named Triton RAT, which leverages Telegram for remote system access and data exfiltration.

This open-source malware, available on GitHub, is designed to execute a wide range of malicious activities, including credential theft, system control, and persistence establishment.

Technical Overview

Triton RAT initiates its operation by retrieving a Telegram Bot token and chat ID encoded in Base64 from Pastebin.

These credentials enable the malware to communicate with a Telegram bot, which serves as the command-and-control (C2) server.

The RAT is equipped with an extensive feature set, including keylogging, webcam access, clipboard data theft, and the ability to steal saved passwords and Roblox security cookies.

Notably, Roblox cookies (.ROBLOSECURITY) are targeted across multiple browsers like Chrome, Edge, Firefox, and Brave.

These cookies can bypass two-factor authentication (2FA) to gain unauthorized access to Roblox accounts.

The malware also gathers system information such as Wi-Fi credentials and executes shell commands remotely.

It can record screens, change wallpapers, and upload or download files.

For anti-analysis purposes, Triton RAT detects “blacklisted” processes associated with debugging tools like xdbg and ollydbg or antivirus software.

Persistence Mechanisms

To maintain persistence on infected systems, Triton RAT deploys secondary payloads through VBScript and batch scripts.

A VBScript named updateagent.vbs disables Windows Defender, creates backups, schedules tasks for persistence, and monitors specific processes.

Additionally, a batch script (check.bat) downloads an executable named ProtonDrive.exe from Dropbox and stores it in a hidden folder under the directory C:\Users\user\AppData\Local\Programs\Proton\Drive.

This executable is a compiled version of Triton RAT using PyInstaller. Scheduled tasks are then created to ensure the malware runs upon user login.

All stolen data is exfiltrated to the Telegram bot in real-time. The bot also allows attackers to issue commands to compromised machines.

During analysis by Cado Security Labs, the associated Telegram channel contained over 4,500 messages though it remains unclear whether this reflects the number of infected systems.

Triton RAT represents a significant threat due to its comprehensive capabilities and reliance on widely used platforms like Telegram for C2 communication.

Its use of anti-analysis techniques further complicates detection by security tools.

Indicators of compromise (IOCs), such as the ProtonDrive executable and associated hashes, have been identified to aid in mitigation efforts.

Organizations are advised to monitor for unusual activity involving Telegram bots and implement robust endpoint protection measures to guard against this evolving threat.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!