HeroRat is the newest Trojan threat that appears to use the Telegram protocols in order to set up a secure connection to the hacker-controlled servers. The discovery was made due to its public source code release on the underground hacking networks. It is considered a very dangerous instance that can be used to create further offspring versions.
Telegram Protocols Used In In HeroRat Trojan Delivery Method
The security community reported the discovery the of the HeroRat Trojan. The code analysis reveals that it uses the Telegram protocols in order to establish a secure connection with the hacker servers. Its code was recently made public in the underground hacker markets which has allowed experts to analyse it in detail.
The reports indicate that the virus may have been used in attacks since August 2017. The code analysis shows that it has been written from scratch in C# using the popular Xamarin framework. In comparison previous were written in Java. At the moment its code is still available on purchase both in its “vanilla” form or in customized versions that can be customized according to the needs of the clients.
The current attack campaign targets devices in Iran — the hackers are sending messages containing social engineering tricks promising free Bitcoins, followers on social media and Internet connection to the users. At the moment Android users are targeted. Once the APK installation files are started they will ask for the following permissions to be granted:
- Erase all data — Erase the phone’s data without warning by performing a factory data reset.
- Change the screen-unlock password — Change the screen-unlock password.
- Set password rules — Control the length and the characters allowed in screen-unlock passwords.
- Monitor screen-unlock attempts — Monitor the number of incorrect passwords typed. when unlocking the screen, and lock the phone or erase all the phone’s data if too many incorrect passwords are typed.
- Lock the screen — Control how and when the screen locks.
HeroRat Trojan Uses Telegram Protocols During Execution
Once the HeroRat Trojan is installed on the target Android devices it will display a pop-up message alerting that it cannot run on the device. This is a fake message that simulates a consequent uninstallation. However at the same time the infections are reported to the hacker-controlled servers. The captured strains can produce a message either in English or Persian (Farsi).
The connection allows the hackers to use a secure connection and leverage Telegram’s bot functionality. The controllers have the ability of using various options that all execute commands on the infected hosts. A partial list shows the following actions:
- Set Name
- Turn Off Phone
- Restart Phone
- Start Voice Record
- Stop Voice Recording
- Properties
- Smsses
- Contacts
- Volume
- Brightness
- Uninstall App
- Send SMS from This
- Location
- Installed apps
- Play voice
- Show Message
- File Explorer
- Calls
- Camera
- Screenshot
- Wallpaper
- Install Plugin
- Update info
- Reset Factory
The collected information shows that the HeroRat Trojan practically allows access to all contents stored on the devices. In addition it can be used to deploy additional threats, spy on the victims in real-time and overtake control of the devices at any given time. The collected data can be used for financial abuse or identity theft. Its signatures are being added to mobile security solutions which is the reason we recommend that all Android users use a quality solution to guard themselves from infection.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: