Netskope Threat Research Labs discovered a cloud application native Remote Access Trojan (RAT) that we have dubbed TelegramRAT. TelegramRAT uses the Telegram Messenger application for its command and control, and a cloud storage platform for its payload host. This cloud-native approach is designed to evade traditional security scanners that are not able to inspect SSL or not able to provide Cloud Application Instance level traffic inspection.
TelegramRAT begins its attack as a malicious Microsoft Office document exploiting the November CVE-2017-11882 vulnerability. The document uses the Bit.ly URL redirection service to conceal the TelegramRAT payload hosted on Dropbox. As we have in the past, Netskope Threat Research Labs is active