Malware

HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild

Malware researchers from ESET have discovered a new strain of Android RAT, tracked as HeroRat, that leverages Telegram protocol for command and control, and data exfiltration.

HeroRat isn’t the first malware abusing Telegram protocol, past investigation reported similar threats like TeleRAT and IRRAT.

The new RAT has been in the wild at least since August 2017 and in March 2018 its source code was released for free on Telegram hacking channels allowing various threat actors to create their own variant.

HeroRat is born in this way, but it appears quite different from other variants that borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, previous ones were written in Java.

The RAT leverages Telesharp library for creating Telegram bots with C#.

“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” reads the analysis published by ESET. 

“It is available in three pricing models according to functionality, and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”

The malware is spread through different channels, it is spread third-party app stores through disguised as social media and messaging apps.

Researchers observed the largest number of infection in Iran where malicious apps are offered promising free bitcoins, free internet connections, and additional followers on social media.

The apps analyzed by ESET shows a strange behavior, after the malware is installed and launched on the victim’s device, it displays a small popup claiming the application can’t run on the device and for this reason, it will be uninstalled.

Once the uninstallation is seemingly completed, the icon associated with the app disappears, unfortunately, the attacker has already obtained the control of the victim’s device.

The attacker leverages the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.

“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“continues the analysis.

The source code of the HeroRat is offered for sale for 650 USD, the authors offer three packages of the malware depending on the features implemented., bronze, silver, and gold that go for 25, 50, and 100 USD, respectively.

The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.

The availability of the source code online will push new versions, the best way to check if your mobile has been infected is to scan it using a reliable mobile security solution.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – HeroRat, Telegram)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.