Telegram, the encrypted messaging service is being used as a Command and Control (C2) infrastructure for malware. A new report by Forcepoint Security, which looks into the methods threat actors use to circumvent existing protections, has found that malware using Telegram as a C2 channel typically uses the bot API for communications. During its investigation, the security firm found a significant flaw in the way Telegram handles messages sent through its Bot API. The report highlights that all past bot messages can be replayed by an adversary capable of intercepting and decrypting HTTPS traffic due to how the bot API works.
The bot API framework can give the adversary the full history of all messages sent or received by the target bot. The full history of messages will often include messages between regular human users as bots frequently share a group chat with them. Telegram uses its in-house MTProto encryption within TLS traffic for securing messages between regular users since it sees TLS as not secure enough on its own for an encrypted messaging application. However, this does not apply in the case of programs which use the Telegram Bot API messages sent are only protected by the HTTPS layer.
The report notes that any adversary capable of gaining a few key pieces of information transmitted in every message “can not only snoop on messages in transit but can recover the full messaging history of the target bot.” One of these key pieces of information is the bot API token embedded in all messages, whether malware or legitimate using the Telegram Bot API. The other crucial piece of data is a randomly generated Telegram chat_id and in the case of individual chats, is the unique ID of a user, while group chats get their own chat_id upon creation. This information is also sent in any Bot API request as the bot needs to know which user and/or group chats to send the information.
Once the adversary is equipped with these pieces of information, Forcepoint says there are a number of methods that can be called from the Telegram Bot API. In this case, the forwardMessage() method is being used as it allows any message from any chat a given bot has access to be forwarded to an arbitrary Telegram user. In order to do this, the adversary needs the API token and the chat_id along with the target chat_id and finally the message id that needs to be forwarded.
Watch: Vivo NEX Dual Display Edition First Look
“Fortunately for us, message_id’s grow incrementally from 0, so a simple Python script can forward all messages that have ever been sent to a Telegram chat that the bot is currently part of. One particular piece of malware proved to be an excellent case study of why this is dangerous, with the threat actor clearly not having the necessary separation between their testing/development and operational environments. This meant that we could track their first steps towards creating and deploying the malware (see the Activity Timeline below) all the way through to current campaigns in the form of communications to and from both victims and test machines,” Forcepoint said in its report.
The researchers note that the piece of malware can be a simple .NET malware, which the operator dubbed as “GoodSender” and uses Telegram as C2. “It operates in a rather simple way: once the malware is dropped it creates
a new administrator user and enables remote desktop as well as making sure it’s not blocked by the firewall. The username for the new admin user is static, but the password is randomly generated,” the researchers add. Forcepoint could not find a definitive answer to what attack vector the actor must have used to drop his malware. However, the clues indicate that the EternalBlue exploit was used to drop his malware on an unpatched machine. The telemetry suggests GoodSender has infected at least 120 victims, who are predominantly based in the US.