Researchers Check Pointa they noticed a new malware from a well-known Android malware vendor who this time teamed up with another criminal with whom he advertises and sells a remote access Trojan (RAT) that can take control of an infected device and extract photos, location data, contacts and messages from popular apps like Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line and Google Messages.
The seller, who appears under the name “Triangulum” on numerous dark web forums, is allegedly a 25-year-old man of Indian origin. This is a man who three years ago, on October 20, 2017, offered for sale his first Android malware, which he had announced months ago on a hacker forum. The malware was a mobile RAT, intended for Android devices and capable of stealing sensitive data from devices, destroying local data, and even the entire OS, the researchers said.
After that, Triangulum disappeared for a year and a half, and on April 6, 2019, it reappeared and offered as many as 4 different products in just six months. The fact that he offered four malware to researchers in such a short time seemed suspicious, because it was clear that one person could not develop four malware in just half a year. The investigation revealed that Triangulum collaborated with another developer who appears on the forums under the name “HeXaGoN Dev” and who specializes in the development of RATs for Android.
Triangulum bought several malware from HeXaGoN Dev, which it advertised on forums. Interestingly, HeXaGoN Dev presented itself as a potential customer in an attempt to attract as many customers as possible.
Initially, the duo offered a permanent subscription for $ 60, and last year they turned to a more financially viable SaaS business model (Software-as-a-Service), charging customers $ 30 for a monthly subscription and $ 190 for permanent malware access. who called Rogue.
Triangleum’s attempts to expand into the Russian market failed because it refused to share demo videos on the forum where it advertised the malware, so users did not trust it.
Rogue (v6.2) is the latest version of the Dark Shades (v6.0) malware sold by HeXaGoN Dev before Triangulum bought it in August 2019. The malware comes with features taken from another malware family called Hawkshaw, whose source code is became public in 2017.
“Triangulum did not develop this creation from scratch, it took what was available from both worlds, open source and the darknet, and combined these components,” the researchers said.
Dark Shades turned out to be the “superior heir” of Cosmos, a special RAT sold by HeXaGoN Dev, making the sale of Cosmos superfluous.
Rogue is sold as a RAT “created to execute commands, with amazing features and without the need for a computer”, with additional options for remote control of infected devices using a control panel or smartphone.
RAT boasts a wide range of features that allow it to gain control of the device and extract any type of data from the device, modify files on the device, and even download additional malware.
It is also designed to prevent detection by hiding the icon from the user’s device, bypassing Android’s security restrictions by using accessibility features to record user actions, and register its own notification service to view any notifications that appear on an infected phone.
Triangulum gained a new clientele, but in April 2020, the malware leaked, which was announced by ESET researcher Lukas Stefanko on April 20 last year, when he said on Twitter that the source code for the Rogue malware was published on a forum. But despite that, Check Point researchers notice that Triangulum continues to receive messages from interested customers.
*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!