Python-Powered Triton RAT Exfiltrates Data via Telegram and Evades Analysis

Cado Security Labs has identified a Python-based Remote Access Tool (RAT) named Triton RAT. This open-source RAT is available on GitHub and enables users to remotely access and control a system using Telegram.

The Python script of the Triton RAT begins by retrieving the Telegram Bot token and chat ID from Pastebin. Triton RAT has a wide array of malicious capabilities, including:

Keylogging
Remote commands
Stealing saved passwords
Stealing Roblox security cookies
Changing wallpaper
Screen recording
Webcam access
Gathering Wi-Fi information
Downloading/uploading files
Executing shell commands
Stealing clipboard data
Anti-analysis techniques
Gathering system information

All exfiltrated data is sent to a Telegram Bot.

The TritonRAT code includes a “sendmessage” function that decrypts and saves passwords from various locations, including AppData, Google Chrome, User Data, Local, and Local State. The RAT also targets Roblox security cookies (.ROBLOSECURITY) in multiple browsers, such as Opera, Chrome, Edge, Chromium, Firefox, and Brave. These cookies can be used to gain access to Roblox accounts, bypassing 2FA.

The Python script also creates a VBScript (“updateagent.vbs”) and a BAT script (“check.bat”), which are executed with PowerShell. The BAT script retrieves a binary named “Proton Drive.exe” from DropBox, stores it in a hidden folder, and executes it with admin privileges. Proton Drive is a PyInstaller compiled version of TritonRAT, likely used for persistence. To maintain persistence, three scheduled tasks are created to start on logon of any user.

Triton RAT incorporates anti-analysis techniques, including checking for “blacklisted” processes associated with debugging and antivirus products. The exfiltrated data is sent to a Telegram bot, where the attacker can send commands to the infected machine.

Rate this post

Tags: dropbox Triton RAT TritonRAT

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply