RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim's machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot's Telegram token into the trojan's configuration file. When a system is infected with RATAttack, it connects to the bot's Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan's code was available on GitHub then was taken down by the author on April 19, 2017.

RATAttack provides the attacker the ability to execute the following commands:

  • /pc_info - for PC information
  • /msg_box - display message box with text
  • /snapshot - take a picture with webcam
  • /ip_info - via ipinfo.io
  • /download_file - download file from target
  • /list_dir - list contents of directory
  • /run_file - run a file on target
  • /capture_pc - screenshot PC
  • /keylogs - get keylogs
  • /self_destruct - destroy all traces from target PC

RATAttack's author is working on adding the following features:

  • Self-destruct RAT on the target PC
  • Take snapshots from the webcam (if attached)
  • Copy and move files on the target PC
  • Delete files on the target PC

Technical Detail

Bleeping Computer provides technical details on RATAttack, available here.