We’ve seen plenty of malware that has used instant messaging to spread, but this one uses Telegram in much more nefarious ways.
Security researchers at ESET have discovered a new RAT (Remote Administration Tool) in Telegram. In the past, various messengers have been used as a transport for malware, but in this case, the malware, dubbed HeroRAT is actually being controlled through Telegram.
HeroRAT is being sold in three distinct bundles, offering various capabilities to purchasing attackers. The bronze bundle sales for $25 US, the silver bundle sales for $50 US and the Gold sales for $100 US. The capabilities of these bundles are shown in the figure below from ESET.
The malware is probably being distributed through third party app stores or through malicious links. At this point, it has not appeared in the Google Play Store. Upon installation, the user is asked to give the malware various permissions, among them, administrative access. Once this is granted, the malware, disguised as a legitimate app, pretends to attempt to install itself, then shows the user that it cannot be installed, and removes it’s icon from the phone. The user believes that the app has left, but in reality, they have been infected.
Attackers then have control of the phone, with the abilities listed in the above image. And how do they send control the malware? Directly through Telegram’s bot functionality.
“Communicating commands to and exfiltrating data from the compromised devices are both covered entirely via the Telegram protocol – a measure aimed at avoiding detection based on traffic to known upload servers.”