Android Trojan Leverages Telegram for Data Exfiltration

A newly discovered Android Trojan is abusing Telegram's Bot API to communicate with the command and control (C&C) server and to exfiltrate data, Palo Alto Networks security researchers warn.

Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The threat is similar to the previously observed IRRAT Trojan, which uses Telegram's bot API for C&C communication only.

Still active in the wild, IRRAT masquerades as applications supposedly informing users on the number of views their Telegram profile received (something that Telegram doesn't actually allow for). After the app's first launch, the malware creates and populates a series of files on the phone's SD card, which it then sends to an upload server.

The files contain contact information, a list of Google accounts registered on the phone, SMS history, a picture taken with the front-facing camera, and a picture taken with back-facing camera.

The malicious app reports to a Telegram bot, hides its icon from the phone's app menu, and continues to run in the background, waiting for commands.

TeleRAT, on the other hand, creates two files on the device, one containing various device information (including system bootloader version number, available memory, and number of processor cores), and another containing a Telegram channel and a list of commands, Palo Alto Networks says.

After installation, the RAT informs attackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. It also starts a background service to listen for changes made to the clipboard, and fetches updates from the Telegram bot API every 4.6 seconds, listening for commands.

Based on the received commands, the malware can grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.

The new malware family is also capable of uploading exfiltrated data using Telegram's sendDocument API method. By performing all communication via the Telegram bot API, it evades network-based detection.

The use of said API allows for getting updates in two manners, namely the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).

The researchers claim to have found an image of the botmaster testing out the RAT, along with exfiltrated messages to confirm it.

The malware also appears to contain the developer's username in the code, which lead researchers to the 'vahidmail67' Telegram channel, which advertises applications to help users get likes and followers on Instagram, ransomware, and even the source code for an unnamed RAT.

The researchers also found threads on an Iranian programmers' forum advertising the sale of a Telegram bot control library and say that code from developers frequenting the forum was found in encountered TeleRAT samples. Although the forum claims all content is in accordance with Iran's laws, the malicious use for some of the code advertised there is clear.

Because TeleRAT puts together code written by several developers, including freely available source code via Telegram channels and code sold on forums, this makes it difficult to point to one single actor commanding either IRRAT or TeleRAT. Thus, Palo Alto Networks says the malware could be the work of several actors possibly operating inside of Iran.

The malware is distributed via seemingly legitimate applications in third-party Android app stores and also distributed and shared via both legitimate and nefarious Iranian Telegram channels.

A total of 2,293 users were apparently infected, based on the analyzed infrastructure, with 82% of the victims having Iranian phone numbers.

Related: Telegram Must Give FSB Encryption Keys: Russian Court

Related: Zero-Day in Telegram's Windows Client Exploited for Months

Fraud Prevention Firm Sift Science Raises $53 Million

Fraud prevention and risk management solutions provider Sift Science today announced that it has closed a £53 million Series D funding round, bringing the total raised to date by the company to £107 million. The latest funding round was led by New York-based growth equity firm Stripes Group, with participation from SPINS, Remitly, Flatiron Health, Udemy, GrubHub, and previous investors Union Square Ventures, Insight Venture Partners, and Spark Capital. Sift Science plans on using the newly acquired funds to expand its global footprint in the fraud detection and prevention market, which is estimated to reach roughly £42 billion by 2022.

Sift's Digital Trust Platform relies on machine learning to protect businesses against fraud and abuse, including payment fraud, fake accounts, account hijacking, and abusive user-generated content. The platform uses data from thousands of websites and apps to identify fraud patterns based on connections between users, behaviors, locations, devices and more. Sift says its customers include Airbnb, Twitter, Twilio, Shutterstock, Yelp, Wayfair and Jet.

"We believe Sift is uniquely positioned to leverage its best-in-class software platform and data network to fundamentally reshape the way businesses and consumers interact online - with more confidence, transparency and security. We are thrilled to be partnering with Sift as it accelerates its already exceptional growth trajectory," said Ron Shah, partner at Stripes Group. Related: Virsec Raises £24 Million in Series B Funding

Related: ThreatQuotient Raises £30 Million in Series C Funding

Related: RELX Group to Acquire Fraud Fighting Firm ThreatMetrix for £815 Million

Webinar Today – Reducing Privileges Reduces Risk: Using the Least Privilege Model

Reducing Privileges Reduces Risk: Using the Least Privilege Model Live Webinar - March 21, 2018 at 1PM ET Have you been exploring ways to implement a least privilege strategy to lower your risk of malware-based attack?

Are you struggling to meet security compliance requirements, trying to lock down and remove unneeded and unmanaged privileged accounts? Worried that removing local admin privileges from users will backfire if they can't access the applications and tools they need? Removing local admin rights, including hidden and hard-coded credentials, mitigates virtually all critical vulnerabilities on Windows and Mac endpoints.

But it's not enough to ensure your organization stays productive. Policy-based application control ensures business users can still access and manage the applications they need to do their job. Please join SecurityWeek and Thycotic for this webinar learn the most effective way to discover, manage, secure and enforce local admin accounts.

Register Now