comscore Telegram being used as command and control for malware by threat actors: Forcepoint
News

Telegram being used as command and control for malware by threat actors: Forcepoint

Attackers found using EternalBlue exploit to turn Telegram into C2 for their malware.

  • Published: January 23, 2019 12:54 PM IST

Telegram, the encrypted messaging service is being used as a Command and Control (C2) infrastructure for malware. A new report by Forcepoint Security, which looks into the methods threat actors use to circumvent existing protections, has found that malware using Telegram as a C2 channel typically uses the bot API for communications. During its investigation, the security firm found a significant flaw in the way Telegram handles messages sent through its Bot API. The report highlights that all past bot messages can be replayed by an adversary capable of intercepting and decrypting HTTPS traffic due to how the bot API works. Also Read - How to make video or voice calls on Telegram

Also Read - Telegram launches video calling on Android and iOS with end-to-end encryption

The bot API framework can give the adversary the full history of all messages sent or received by the target bot. The full history of messages will often include messages between regular human users as bots frequently share a group chat with them. Telegram uses its in-house MTProto encryption within TLS traffic for securing messages between regular users since it sees TLS as not secure enough on its own for an encrypted messaging application. However, this does not apply in the case of programs which use the Telegram Bot API messages sent are only protected by the HTTPS layer. Also Read - Telegram to soon launch video calling feature

The report notes that any adversary capable of gaining a few key pieces of information transmitted in every message “can not only snoop on messages in transit but can recover the full messaging history of the target bot.” One of these key pieces of information is the bot API token embedded in all messages, whether malware or legitimate using the Telegram Bot API. The other crucial piece of data is a randomly generated Telegram chat_id and in the case of individual chats, is the unique ID of a user, while group chats get their own chat_id upon creation. This information is also sent in any Bot API request as the bot needs to know which user and/or group chats to send the information.

Once the adversary is equipped with these pieces of information, Forcepoint says there are a number of methods that can be called from the Telegram Bot API. In this case, the forwardMessage() method is being used as it allows any message from any chat a given bot has access to be forwarded to an arbitrary Telegram user. In order to do this, the adversary needs the API token and the chat_id along with the target chat_id and finally the message id that needs to be forwarded.

Watch: Vivo NEX Dual Display Edition First Look

“Fortunately for us, message_id s grow incrementally from 0, so a simple Python script can forward all messages that have ever been sent to a Telegram chat that the bot is currently part of. One particular piece of malware proved to be an excellent case study of why this is dangerous, with the threat actor clearly not having the necessary separation between their testing/development and operational environments. This meant that we could track their first steps towards creating and deploying the malware (see the Activity Timeline below) all the way through to current campaigns in the form of communications to and from both victims and test machines,” Forcepoint said in its report.

The researchers note that the piece of malware can be a simple .NET malware, which the operator dubbed as “GoodSender” and uses Telegram as C2. “It operates in a rather simple way: once the malware is dropped it creates

a new administrator user and enables remote desktop as well as making sure it’s not blocked by the firewall. The username for the new admin user is static, but the password is randomly generated,” the researchers add. Forcepoint could not find a definitive answer to what attack vector the actor must have used to drop his malware. However, the clues indicate that the EternalBlue exploit was used to drop his malware on an unpatched machine. The telemetry suggests GoodSender has infected at least 120 victims, who are predominantly based in the US.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel.
  • Published Date: January 23, 2019 12:54 PM IST



new arrivals in india

Realme Narzo 20A
Realme Narzo 20A

8,499

Realme Narzo 20
Realme Narzo 20

10,499

Realme Narzo 20 Pro
Realme Narzo 20 Pro

14,999

Oppo F17
Oppo F17

17,990

Samsung Galaxy M51
Samsung Galaxy M51

24,999

Poco M2
Poco M2

10,999

Oppo F17 Pro
Oppo F17 Pro

22,990

Realme 7 Pro
Realme 7 Pro

19,999

Realme 7
Realme 7

14,999

Xiaomi Redmi 9A
Xiaomi Redmi 9A

6,799

Vivo Y20
Vivo Y20

12,990

Xiaomi Redmi 9
Xiaomi Redmi 9

8,999

Nokia 5.3
Nokia 5.3

13,999

Motorola Moto G9
Motorola Moto G9

11,499

Realme C15
Realme C15

9,999

Realme C12
Realme C12

8,999

Samsung Galaxy Note 20
Samsung Galaxy Note 20

77,999

Xiaomi Redmi 9 Prime
Xiaomi Redmi 9 Prime

9,999

Oppo Reno4 Pro
Oppo Reno4 Pro

34,990

Samsung Galaxy M01 Core
Samsung Galaxy M01 Core

5,499

Realme 6i
Realme 6i

12,999

Asus Rog Phone 3
Asus Rog Phone 3

49,999

OnePlus Nord
OnePlus Nord

24,999

Infinix Smart 4 Plus
Infinix Smart 4 Plus

7,999

Xiaomi Redmi Note 9
Xiaomi Redmi Note 9

11,999

Samsung Galaxy M01s
Samsung Galaxy M01s

9,999

Vivo X50 Pro 5G
Vivo X50 Pro 5G

49,990

Vivo X50 5G
Vivo X50 5G

34,990

Realme C11
Realme C11

7,499

Poco M2 Pro
Poco M2 Pro

13,999

Realme X3
Realme X3

24,999

Realme X3 SuperZoom
Realme X3 SuperZoom

27,999

Tecno Spark Power 2
Tecno Spark Power 2

9,999

Oppo A12
Oppo A12

9,990

Oppo A52
Oppo A52

16,990

Samsung Galaxy A21s
Samsung Galaxy A21s

15,999

Oppo Find X2
Oppo Find X2

64,990

Motorola One Fusion Plus
Motorola One Fusion Plus

17,499

Samsung Galaxy A31
Samsung Galaxy A31

20,999

Samsung Galaxy M01
Samsung Galaxy M01

8,999

Samsung Galaxy M11
Samsung Galaxy M11

10,999

Infinix Hot 9 Pro
Infinix Hot 9 Pro

9,999

LG Velvet
LG Velvet

Price Not Available

Xiaomi Mi Note 10 Lite
Xiaomi Mi Note 10 Lite

Price Not Available

Apple iPhone SE 2020
Apple iPhone SE 2020

42,500

Honor 30 Pro
Honor 30 Pro

Price Not Available

Honor 30
Honor 30

Price Not Available

OnePlus 8
OnePlus 8

44,999

OnePlus 8 Pro
OnePlus 8 Pro

54,999

Xiaomi Redmi Note 9 Pro
Xiaomi Redmi Note 9 Pro

13,999

Motorola Moto E4
Motorola Moto E4

8,999

Samsung Galaxy On Max
Samsung Galaxy On Max

9,775

nubia N2
nubia N2

15,999

Karbonn K9 Kavach 4G
Karbonn K9 Kavach 4G

5,290

Motorola Moto C Plus
Motorola Moto C Plus

6,999

Best Sellers