Recently, the security experts at Palo Alto Networks discovered a brand new Trojan horse that used Telegram for data extraction. More precisely, it uses “Telegram Bot API for C&C(command and control) server communication and data withdrawal. Assumed to have originated from Iran, it has too much similarity with an earlier known Trojan horse named IRRAT.
How TeleRAT Works?
Although comparisons are being made between IRRAT and TeleRAT, the workings of both of these are far different from one another. If we talk about IRRAT, it steals contacts, list of Google accounts registered on the devices, SMS history, etc. Once it has done this, it keeps the stolen data on the phone’s SD card and furthermore sends to a server. This is also capable of taking pictures with front and rear cameras. On the flip side TeleRAT operates quite differently. It creates two files, namely “telerat2.txt” and “thisapk_slm.txt.”` In telerat2.txt, device information is stored such as system bootloader version, memory, number of processor cores and many others. And, thisapk_slm.txt contains a Telegram channel and a list of commands.
So, when installed, the malicious code informs hackers by sending a message with the current date and time. At the same time, Trojan runs a background service which keeps an eye on the changes made to the clipboard, and fetches information and updates from Telegram bot API at every 4.6 seconds.
The features of TeleRAt are not behind in any facet as it can receive commands to get hold of your contacts, location, applications, and even clipboard. It can also
download files, receive or send text messages, take photo, make a call, mute the phone or put it on loudspeaker, turn off the phone screen, delete applications, and what not. Simply put, it can mess up with your device. It uses “sendDocument” API method of Telegram to upload stolen data, and thus it can avoid network-based detection easily. Quite impressive indeed!
Also Read : What Is Password Cracking and Its Common Methods
Talking About the Code
Professionals who have studied its code have stated that it puts together code written by others. Simply put, the hackers have not written the entire code instead of doing so they have assembled the code created by others. Also, they have included freely available source code through Telegram channels. Therefore, this is making it difficult to identify ones that are infected.
Must Read : 5 Ways to Spot Scam Emails
How TeleRAT Is Being Spread?
TeleRAT is being distributed via legal and malicious Iranian channels. As per statistics from Palo Alto Networks, approximately 2,293 devices are being infected currently and 82% of them have an Iranian phone number.
The attack by TeleRAT could not become a huge breach. But it makes one thing very clear that no matter how hard we try, hackers are going to stay ahead of us and will never stop trying. What do you think about this? Do not forget to comment your opinion.