Dating telegramm com
However, it’s hard to see any non-malicious use for some of the code advertised there or written by developers that frequent it – for instance, a service that runs in the background listening for changes to the Clipboard (pictured in the code snippet in Figure 3 further above).
Overall, Tele RAT pieces together code written by several developers, however, due to freely available source code via Telegram channels and being sold on forums, we can’t point to one single actor commanding either IRRAT or Tele RAT and it appears to be the work of several actors possibly operating inside of Iran.
There appears to be a total identified victim count of 2,293 at the time of writing, based on the infrastructure we analysed.
There appears to be a rather small range of geographically dispersed victims, with 82% of having Iranian phone numbers.
Aside from the Telegram channel, while looking for references to certain Tele RAT components we stumbled upon some threads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library.
The RAT announces its successful installation to the attackers by sending a message to a Telegram bot via the Telegram Bot API with the current date and time.
More interestingly, it starts a service that listens for changes made to the Clipboard in the background.
Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news.
And while Android malware abusing Telegram’s Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications.