This post was written by Vitor Ventura with contributions from Azim Khodjibaev
Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.
While the first version only stole browser credentials and cookies, along with all text files it can find on the system, the second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.
Talos intelligence research allowed the identification of the author behind this malware with high confidence. The author posted several YouTube videos with instructions on how to use the Telegram collected files to hijack Telegram sessions and how to package it for distribution.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated information. This information is not encrypted, which means that anyone with access to these credentials will have access to the exfiltrated information.
The malware is mainly targeting Russian-speaking victims, and is intentionally avoiding IP addresses related with anonymizer services.
Telegram desktop disclaimer
The malware is not breaking or exploiting any vulnerability on Telegram. It affects the desktop version of Telegram, which does not support Secret Chats and has weak default settings.
The snippet was taken from the telegram.org website and clearly states that Secret Chats are NOT supported on desktop and web versions of Telegram. These versions are cloud-based, so there are no assumptions over the local storage contents. The malware abuses the lack of Secret Chats which is a feature, not a bug. Telegram desktop by default doesn't have the auto-logout feature active. These two elements together are what allows the malware to hijack the session and consequently the conversations.
This does not mean that Telegram is broken or that this technique is applicable to the Secret Chats done using mobile platforms.
Telegram desktop data value
The malware is gathering all Telegram cache data, and zipping it before it exfiltrates the files.
Code used to prepare data for exfiltration
Through our investigation, we were able to find a tutorial video on how to access and use this information to hijack Telegram sessions. In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open. It will be possible to access the victims session, contacts and previous chats. Talos believes with high confidence the author of the video and the author of the malware are the same.
This is rather unusual, however. To the best of Talos' knowledge, there is no tool to decrypt the cache information. In the GitHub TelegramDesktop repository, there is a discussion [here] that suggests that it would be possible to develop a tool to decrypt this cache information.
The keys used to encrypt the files on Telegram desktop data are store in the map* files, which are encrypted by the password of the user.
GitHub.com TelegramDesktop repository
Assuming that the attacker does not have the password for these files, it would not be hard for them to create a brute-force mechanism that could allow them to get into these files. The code above shows how it can be done just by using components already built. Since Telegram uses the AES for its encryption, achieving high performances should not be a problem by using OpenCL, or even creating an addon for HashCat.
The attacker would only have access to the local cached data. It's important to understand that, there is no assurance about what is stored locally. The only assurance is that the chats are stored in the cloud.
The malware author
The analysis of the various variants of the malware allowed us to link the malware to a user that goes by the name of Racoon Hacker, also known as Eyenot (Енот / Enot) and Racoon Pogoromist (sic).
The cursory analysis of the video indicates that Racoon Hacker is a native Russian speaker and has an advanced understanding of the Python programming language. Despite not having many posts or videos, all of their material relates to other account hijackers or development of payload loaders. The videos often mention the similar platforms/techniques has the ones used by the variants of the malware.
Cyrillic based user path
The focus of the author in Cyrillic-based languages is clear in the first line of the code on the previous image. The decoding of the user home directory is done using the CP-1251 character encoding scheme, which is mainly used for languages like Russian or Ukrainian.
Racoon Hacker posted the YouTube video (referenced above), which shows how to steal Telegram sessions. Taking a closer look at the video, we can see that there are two references to the enot user.
On lolzteam.net, a mid-level Russian hacking forum, where he has been active since the fall of 2017,Racoon Hacker, now under the name Racoon Progoromist, posted an article entitled "Telegram breaking in 2018" that outlines the process of customizing the malware.
Blog post about Telegram session hijacking tool
In another mid-level hacking forum sft.st, the same software is being advertised, and this time referenced a GitHub link to the Python script and other tools in order for users to be able to duplicate his demonstration.
sft.st forum article with GitHub reference
The GitHub account belonging to Enot272 does not have the python script anymore, however Talos was able to retrieve the content list.
GitHub Stealer_for_Telegram_Desktop repository content
The repository content contains the same file names as the video further and the link to the same video. This constitutes a stronger link between the Racoon Hacker and the enot272 user. Even though the Stealer_for_Telegram_Desktop was deleted, the account enot272 is still active at the time of this post on GitHub. Looking into the account details, we found two additional links to Racoon Hacker and the variants of the malware.
Enot272 GitHub.com account details
The icon for this user is the same used in the YouTube account that published the video, and the account only has two stars, one of which is the same API used by one of the variants of the malware to exfiltrate data into pcloud.com cloud storage service. This API is not very popular, having only eight stars in total.
One video in particular provides the strongest link between the malware samples and Racoon Hacker. The video describes the usage of a loader created with AutoIt.
tesytest1enot.ucoz.net file manager content
In minute 3:06 of the video, the content of the website testytest1enot.ucoz.net is shown. Here, we can see two file names (dist1.txt and sdadasda.txt) that are an exact match to two of our samples, matching the exact URLs found on the droppers.
Complete URL for one of the variants.
Although the credits of the loader are attributed to another user, this Telegrab is also being distributed using this particular loader/dropper.
Reversed code from enotproject.exe
The same user enot272 is also found inside as part of the URL used by the malware to download the list of IP it should not contact.
This campaign is being distributed using various downloaders written in different languages. Talos has found at least three different languages (Go, AutoIT, Python) and a prototype for a fourth one (DotNet), one of which is a AutoIT script compiled into an executable.
After decompiling the AutoIT script, it was possible to confirm the download of the finder executable under the name whiteproblem.exe, which is only one of the names found (see IOCs section).
Once downloaded, the malware has two variants based on the executable finder.exe, which is written in Go. The first variant only uses the finder.exe. The second variant is distributed in a RAR self-extractable file, which aside from the finder.exe, it also has a Python stub executable, with the names enotproject.exe or dpapi.exe.
Self-extracting RAR header
Once decompressed, finder.exe is started up, as per the setup variable that can be seen above.
The finder.exe is responsible for searching the hard drive for Chrome browser credentials and session cookies for the default user. While searching the hard drive, it will also collect all text files (.txt) on the system. The second variant, during its execution, will launch the second executable, enotproject.exe or dpapi.exe, accordingly.
This executable is also responsible for the exfiltration of the collected information. The data is uploaded to the pcloud.com website using an open-source library available on GitHub [here].
Call to pCouldClient.Login()
The authentication is done using credentials that are hardcoded into the finder.exe itself. Talos has identified five pcloud.com accounts on the finder.exe samples. The analysed code did not reveal any encryption applied to the exfiltrated data. This means that whoever has these credentials will be able to access this information, making it even more dangerous.
The second one is called enotproject.exe or dpapi.exe, and is written in Python and uses pyinstaller to wrap it into an executable. The dpapi.exe timestamps are generically older than the enotproject.exe, and the code itself is also simpler, demonstrating clear evolution on this malware.
To the latter, it was adding code to harvest Telegram and Steam data. The code was also responsible for checking if the victim's IP address is part of a list, which is downloaded from https://enot272[.]neocities[.]org/IPLogger-output.txt. The malware will exit if the victim's is on the list. This list contains Chinese and Russian IP addresses, along with anonymity services in other countries.
The version that's responsible for collecting the information about Steam and Telegram was first seen seen in the wild on April 10, 2018.
A third version of the Python code was also found wrapped in a py2exe executable. This code is similar to the enotproject.exe found on the second variant, but it was found as a standalone. Since there is no exfiltration code on this variant, it is unknown how the malicious actors are collecting this information. The timestamps on this variant seem to indicate that this is the newest variant being deployed.
The malware does not have a persistence mechanism, so it seems like the malicious operators are only concerned about collecting information.
Notably, the Telegram session hijacking is the most interesting feature of this malware. Even with limitations, this attack does allow session hijacking, and with it, the victim's contacts and previous chats are compromised. Although it's not exploiting any vulnerability, it is rather uncommon to see malware collecting this kind of information. This malware should be considered a wake-up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put their privacy in jeopardy.
When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant. However, this shows how a small operation can fly under the radar and compromise thousands of credentials in less than a month, having a significant impact on the victim's privacy. These credentials and cookies allow the malware operator to access the victims information on websites such as vk.com, yandex.com, gmail.com, google.com, etc. The malware samples analyzed are not particularly sophisticated, but they are efficient. There are no persistence mechanisms, meaning victims execute the malware every time, but not after reboots.
Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
# if current IP on this list exit.