Telegram-Controlled Backdoor Trojan Attacks Linux Servers
Doctor Web specialists have identified a Linux version of the well-known TgRat Trojan used for targeted attacks on computers. One of the notable features of this Trojan is that it is controlled via a Telegram bot.
This malware belongs to the type of remote access trojans, better known by the rather unpleasant but very apt abbreviation RAT (translated from English as “rat”). In essence, “ratniks” are familiar means of remote access and administration, but working for attackers. The main difference is that the attacked user should not suspect that someone else is in charge of his machine.
The TgRat Trojan, originally written for Windows, was discovered in 2022. It was a small malicious program designed to download data from a specific compromised machine. Not long ago, virus analysts at Doctor Web discovered its brother, adapted to work on Linux.
A request for investigation of an information security incident was received by our virus lab from a hosting company. Antivirus Dr.Web found a suspicious file on one of the clients' servers. It turned out to be trojan dropperthat is, a program that is designed to install malware on the attacked computer. This dropper unpacked the Trojan into the system Linux.BackDoor.TgRat.2.
This Trojan was also created to attack specific computers: when launched, it checks the hash of the machine name against the string embedded in the Trojan's body. If the values do not match, TgRat terminates its process. And if launched successfully, the Trojan connects to the network and implements a rather unusual interaction scheme with its control server, which is a Telegram bot.
Telegram messenger is quite often used in many companies as a corporate communication tool. Therefore, it is not surprising that attackers can exploit it as a channel for managing malware and stealing confidential information: the popularity of the program and the routine traffic to Telegram servers help to disguise malware in a compromised network.
The Trojan is controlled via a closed group in the messenger, to which the Telegram bot is connected. Using the messenger, attackers can give commands to the Trojan: for example, download files from a compromised system, take a screenshot, remotely execute a command, or download a file using attachments.
Unlike its Windows counterpart, this Trojan's code was encrypted with RSA and used the bash interpreter to execute commands, allowing entire scripts to be executed within a single message. Each instance of the Trojan had its own identifier, allowing the attackers to send commands to multiple bots by connecting them all to a single chat.
This attack, despite its unusualness in terms of the choice of interaction scheme between the Trojan and the control server, can be detected by careful analysis of network traffic: data exchange with Telegram servers can be typical for user computers, but not for a server on a local network.
