Netskope identifies new Python RAT targeting gamers

During threat hunting activities, Netskope identified a new Python remote access tool (RAT) utilizing the Telegram Bot Application Programming Interface (API) for command and control operations. This discovery is pertinent for IT leaders, emphasizing the need for increased vigilance against malware targeting gaming communities.

Key findings

The RAT masquerades as a legitimate Minecraft client named “Nursultan Client,” employing deceptive tactics to gain user trust. It features capabilities for data exfiltration and unauthorized remote access, utilizing cross-platform communication methods.

The malware executes commands through the Telegram API, incorporating functions such as screenshot capture, webcam access, and theft of Discord authentication tokens. These functions contribute to its multifaceted approach to compromising victim machines.

Details

Initial analysis

Netskope's investigation uncovered an executable associated with this RAT, packaged using PyInstaller. This software is frequently used by malware creators to compile Python scripts into Standalone (SA) executables, which can obscure their intentions through inflated file sizes.

The executable's significant size, isolated use of Telegram for command communication, and attempt to conceal its presence through fake installation prompts are notable characteristics of this malware.

Installation and deception

Upon execution, the malware obscures its console window and projects a fraudulent installation progress display to the user's screen. It attempts to establish persistence on systems by modifying registry entries, although the execution method reveals inherent flaws.

Telegram C2 channel

The malware’s connections to Telegram for its command structure facilitate secure communications for the perpetrator while reinforcing the complexity of detection efforts. Only specific Telegram user Intrusion Detection System (IDS) are allowed, establishing controlled communication for the attacker.

Information stealing capabilities

This RAT specifically targets Discord authentication tokens, using several commands to gather system information and exfiltrate sensitive data back to the attacker. Information concerning the victim's system profile can also be compiled with simple commands.

Surveillance and adware functions

In addition to information theft, the malware implements surveillance mechanisms, allowing the capture of desktop images and webcam feed. The malware can also provide unsolicited pop-up messages and open malicious URLs sent by the attacker.

Conclusions

This malware exemplifies a clear social engineering technique aimed at targeting gamers through the guise of a legitimate client. The reliance on the Telegram API for command and control activities emphasizes the necessity for organizations to monitor all network traffic, particularly encrypted channels.

The structure of this malware illustrates a Malware-as-a-Service (MaaS) framework, where its design and operational methods suggest a broader accessibility for less experienced threat actors rather than indicating a high-level sophistication.

Netskope detection

Netskope's Advanced Threat Protection solutions provide proactive defense against the identified threats by recognizing the signatures and activities associated with the malware.

Data analysis

The analysis herein is derived from anonymized data collected by the Netskope Security Cloud platform, backed by prior customer consent.

IOCs

Indicators of Compromise (IOC) and related scripts are available in the Netskope GitHub repository for further investigation.