Security experts identified that the dangerous Telebots group continues to launch large-scale attacks against large financial institutions.
Telebots Hackers Continue Their Devastating Attacks
Security experts from ESET discovered a new malicious toolset that was used against high-profile targets in the Ukraininan financial sector. These campaigns are run by a hacker collective known as TeleBots which is very similar to the BackEnergy group which conducted large-scale campaigns against the energy sector in Ukraine. Some of the experts believe that the BlackEnergy has evolved to TeleBots over time.
The attack campaign used spam email campaigns directed against the targets which include infected macros. The recent attacks don’t use social engineering tricks to manipulate the target and depend solely on their own judgment. In most cases the infected documents don’t contain any meaningful metadata information. However the researchers discovered that it does contain the alias of the person who is responsible for the file modification. It is believed that this individual is connected to Russian-speaking community of hackers.
Once the victim clicks on the “Enable Content” button the document launches the malicious macro. Its main purpose is to deliver an infected binary file which uses the explorer.exe name and then execute it. This dropper is associated with a Trojan downloader written in the Rust programming language which downloads other malicious files. This multi-step infection process is usually used by more advanced forms of malwaree.
During the first attack stages the TeleBots hackers abuse various legitimate servers to conceal their network activity. The trojan downloader gathers various data from hardcoded URL’s that point to a text drive on the Putdrive cloud storage platform. This is the actual backdoor payload which is the main Trojan malware.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
TeleBots and Their Malware
It is written in the Python programming language and it is based on an open-source code. TeleBots communicate to the infected machines via the Telegram Bot API which creates a secure channel.
Each of the discovered samples had a unique token that is embedded in its code which means that each individual infection uses its own telegram messenger account. This allows the attackers to control individual machines using the Telegram Messenger by issuing commands over the chat interface.
The malware has been analyzed to support the following commands:
- cmd|| %shellcmd% – Executes shell command and sends result in chat
- cmdd|| %shellcmd% – Executes shell command but does not send result in chat
- getphoto|| %path% – Uploads picture from infected computer to chat
- getdoc|| %path% – Uploads any type of file up to 50 MB in size to chat
- forcecheckin|| %random% – Collects Windows version, platform (x64 or x86), current privileges
- time|| %seconds% – Changes interval between execution of commands
- ss|| – Captures screenshot (not implemented)
The malware automatically saves all incoming files to its own folder. This allows the attackers to infect the compromised machines with additional viruses very easily. Various tools can be used to harvest passwords from web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer and Opera. The attackers can also launch network attacks and use LDAP query tools to view and manipulate the Active Directory.
While investigating the backdoor and the attack campaigns the researchers spotted another troubling fact. The hackers have been able to deploy additional backdoors which were used to add persistence in the case the main Python backdoor is removed. This is achieved through a program packaged as the script2exe binary file.
This is a VBS-based program which sends the computer name and MAC address of the host to the remote C&C servers using the HTTP protocol and waits for commands from the TeleBots group. The list of supported commands include the following:
- !cmd – Executes shell command and sends results back to the server
- !cmdd – Executes shell command but does not send result back to the server
- !dump – DecodesBase64 data and saves it to %TEMP% folder
- !timeout – Defines a new timeout between calls to server
- !bye – Quits
- !kill – Quits and deletes itself
- !up – Uploads file from agent computer to C&C server
The TeleBots And Their BCS-Server Tool
In addition to everything else the hackers have also have an additional tool in their arsenal called BCS-server. It allows them to open a tunnel connection into the compromised internal network. Data communications can flow through this channel. An interesting fact is that the attackers have used a guide to use this tool and the instructions are written in Russian.
A rough translation of it reads shows that the following command parameters can be used:
- saddr – address of BCS server
- hport – port of a host, which we did setup on the server, this how we bypass firewall
Several examples are given.
phost_win.exe –saddr=10.10.10.10 –hport=80
Debug versions:
phost_cnv.exe – console version
phost_win_log.exe – version that logs to file
This means that the attackers can use the C&C server as a proxy that redirects the commands to the internal network. The internal traffic flow is base64 encoded and encapsulated in HTML tags.
The KillDisk TeleBots Danger
The KillDisk is one of the most desctructive components that can be infected by the TeleBots group. It is used as a last stage attack which is executed with the highest possible privileges on both servers and workstations. It compromises target user file extensions as defined by the hackers.
Some of the samples indicate the following list of target extensions:
.kdbx .bak .back .dr .bkf .cfg .fdb .mdb .accdb .gdb .wdb .csv .sdf .myd .dbf .sql .edb .mdf .ib .db3 .db4 .accdc
.mdbx .sl3 .sqlite3 .nsn .dbc .dbx .sdb .ibz .sqlite .pyc .dwg .3ds .ai .conf .my .ost .pst .mkv .mp3 .wav .oda .sh
py .ps .ps1 .php .aspx .asp .rb .js .git .mdf .pdf .djvu .doc .docx .xls .xlsx .jar .ppt .pptx .rtf .vsd .vsdx .jpeg
.jpg .png .tiff .msi .zip .rar .7z .tar .gz .eml .mail .ml .ova .vmdk .vhd .vmem .vdi .vhdx .vmx .ovf .vmc .vmfx .vmxf
.hdd .vbox .vcb .vmsd .vfd .pvi .hdd .bin .avhd .vsv .iso .nrg .disk .hdd .pmf .vmdk .xvd
KillDisk can also be used to create new files or use strings like mrR0b07 or fS0cie7y.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter