Telegram-Based ResokerRAT Threatens Windows Security

A newly discovered remote access trojan, ResokerRAT, leverages Telegram’s bot API for covertly controlling infected Windows computers. This malware differentiates itself by circumventing traditional command-and-control servers, opting instead for a trusted messaging platform to transmit commands and retrieve stolen information. This tactic complicates detection efforts for conventional network security solutions.

Unconventional Communication Methods

Unlike typical malware, ResokerRAT exploits Telegram to establish its communication channel. By using the Telegram Bot API, the malware receives instructions and sends data back to its operators, making it challenging for security systems to recognize and block its activities. The trojan is delivered through an executable file named Resoker.exe, which, upon execution, initiates background operations such as establishing persistence and requesting elevated privileges.

Once active, ResokerRAT can perform a range of harmful tasks, including capturing screenshots, downloading further payloads, and disabling security notifications. Analysts from K7 Security Labs have identified its initial action as creating a mutex, ‘GlobalResokerSystemMutex,’ to ensure only one instance operates simultaneously. Additionally, the malware checks for debugger presence, interrupting analysis if detected.

Technical Tactics and Persistence

To extend its infiltration, ResokerRAT attempts to relaunch with administrative rights using the ‘runas’ option. If successful, it closes the original instance and resumes operation under elevated privileges. In failure cases, it reports errors back via the Telegram bot. The malware also terminates processes of common analysis tools, obstructing forensic efforts.

ResokerRAT’s persistence is achieved by embedding itself into the Windows registry under the ‘Run’ key, ensuring execution at startup. This method allows it to remain operational even after system reboots, with the malware confirming its startup configuration to the attacker through Telegram.

Security Recommendations and Precautions

Security experts advise monitoring for unauthorized registry entries and suspicious HTTPS traffic to ‘api.telegram.org’ as preventive measures against ResokerRAT. Ensuring systems are current with patches, avoiding untrusted executable files, and being vigilant for sudden Task Manager access issues are critical in mitigating infection risks.

In summary, ResokerRAT exemplifies a sophisticated cyber threat employing unconventional communication channels to evade detection. Continuous vigilance and proactive security practices are essential to safeguard systems against such evolving threats.