Python-based Triton RAT Targeting Roblox Credentials

MITRE Techniques

• [T1053.005] Scheduled Task/Job – Three scheduled tasks are created to start on logon of any user. (‘Three scheduled tasks are created to start on logon of any user.’)
• [T1059.006] Command and Scripting Interpreter: Python – The Python script also contains code to create a VBScript and a BAT script which are executed with Powershell. (‘The Python script also contains code to create a VBScript and a BAT script which are executed with Powershell.’)
• [T1082] System Information Discovery – Function that gathers and exfiltrates system information. (‘Function that gathers and exfiltrates system information’)
• [T1016] System Network Configuration Discovery – Gather Wifi Information and System Network Configuration Discovery. (‘Gather Wifi Information’ and ‘System Network Configuration Discovery’)
• [T1105] Ingress Tool Transfer – Retrieves ProtonDrive.exe from DropBox, stores it in a hidden folder and executes it with admin privileges. (‘retrieves a binary named ProtonDrive.exe from DropBox, stores it in a hidden folder and executes it with admin privileges.’)
• [T1562.001] Impair Defenses: Disable or Modify Tools – The VBScript disables Windows Defender. (‘disables Windows Defender.’)
• [T1132] Data Encoding – Telegram token and chat ID encoded in Base64. (‘Telegram token and chat ID encoded in Base64’)
• [T1021] Remote Services – All exfiltrated data is sent to Telegram via a Telegram bot. (‘All the exfiltrated data is sent to Telegram via a Telegram bot.’)
• [T1056.001] Input Capture: Keylogging – Keylogging feature is included. (‘Keylogging.’)
• [T1555] Credentials from Password Stores – Iterates over password stores, decrypts them and saves the passwords in a text file. (‘decrypts them and saves the passwords in a text file.’)
• [T1539] Steal Web Session Cookie – Searches for Roblox security cookies (.ROBLOSECURITY) in Opera, Chrome, Edge, Chromium, Firefox and Brave, and exfiltrates them. (‘Roblox security cookies (.ROBLOSECURITY) in Opera, Chrome, Edge, Chromium, Firefox and Brave, if found the cookies are stored in a text file and exfiltrated.’)
• [T1546.015] Event Triggered Execution: Screensaver – Event Triggered Execution: Screensaver. (‘Event Triggered Execution: Screensaver’)
• [T1113] Screen Capture – Screen capture functionality is present. (‘Screen Capture’)
• [T1125] Video Capture – Webcam/video capture capability. (‘Video Capture’)
• [T1115] Clipboard Data – Downloads and steals clipboard data. (‘Clipboard Data’)
• [T1497] Virtualization/Sandbox Evasion – Checks for blacklisted processes to evade analysis. (‘checks for “blacklisted” processes which include popular tools such as xdbg, ollydbg, FakeNet, and antivirus products.’)
• [T1020] Automated Exfiltration – Exfiltrated data is automatically sent to Telegram. (‘All the exfiltrated data is sent to Telegram via a Telegram bot’)