ESET security experts have found a brand new strain of Android RAT, called HeroRat, which uses Telegram protocol for command and control and stealing users’ data.
After TeleRAT and IRRAT, the Android users got attacked by the new HeroRat that has been around since at least August 2017. In March 2018, the source code of HeroRat was released for free on Telegram hacking channels letting hackers develop new variants of the malware.
Yet, HeroRat appears to be rather different from the other variants which borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, while the previous ones were written in Java.
The new RAT uses Telesharp library to create Telegram bots with C#.
“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” the ESET analysis states.
“It is available in three pricing models according to functionality and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”
HeroRat is distributed via different channels, usually via third-party app stores disguised as social media and messaging applications.
The largest number of infection was registered in Iran where the malicious apps are offered promising free bitcoins, free internet connections, and additional followers on the social media.
The application analyzed by ESET shows a strange behavior. Being installed on the user’s device, the malware displays a small pop up claiming that the application can’t run on the device and for this reason, it will be uninstalled.
As soon as the application is removed, its icon also disappears, however, the device remains under the hacker’s control.
By using the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.
“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“ the ESET analysis reads.
The HeroRat source code is offered for sale for 650 USD, and its authors offer three packages of the malware depending on the features implemented – bronze, silver, and gold, which cost 25, 50, and 100 USD, respectively.
The capabilities of HeroRat are accessible in the form of clickable buttons in the Telegram bot interface. By tapping the buttons available in the version of the malware, hackers can control all the infected devices.