Application security and online fraud, cybercrime, fraud management and cybercrime
Google ad leads to malicious app disguised as telegram
Jeremy Kirk (jeremy_kirk) •
March 17, 2021
Jannis kirschner, an independent security researcher based in Basel, Switzerland, searched for the desktop version of the popular Telegram messaging app on Sunday.
See also: Automate security operations
Google’s second hit, an ad, led it straight to malware disguised as the desktop version of Telegram for Windows. It was convincing enough at first glance that Kirschner said he “almost fell into the trap myself”.
It is a common ploy for malware distributors to use the same advertising tools that online merchants use to attract people. Google patrols its advertising ecosystem to stop abuse, but malicious advertising remains a persistent problem.
Kirschner, who wrote a technical essay on his site, Suid vulnerability research, took an in-depth look at the campaign, which involved three domains spoofing Telegram.
While visiting one of these sites, telegramdesktop[dot]com, is now triggering a warning from Google’s safe browsing tool as dangerous, two of the sites are still active and are probably fooling the others. These are telegramdesktop[dot]net and telegramdesktop[dot]org. Kirschner reported the sites to Google.
The three spoofed sites are clones of the Telegram website. All links on the cloned sites redirect to Telegram’s legitimate domain, desktop.telegram.com. But a link is exchanged, which is supposed to be the executable for the Windows version of the Telegram desktop.
Kirschner says the person who manages the sites made a few operational security mistakes that highlight the success of the campaign. The .com and .net sites recorded 2,746 downloads of the malicious Windows executable, and a second stage malware was subsequently repelled 129 times. The .org site recorded 529 downloads in just two days, Kirschner says.
Whoever behind the malware campaign used Bitbucket – a GitHub-like alternative from Atlassian – to host it. The software repository containing the malware was accessible, allowing Kirschner to see the number of downloads.
“A repository was probably a bad choice for distributing malware because it’s so detailed (download numbers, time, and other documents),” Kirschner says. “The biggest mistake of opsec was that they didn’t clean up one of the repository metadata, which led me to discover the validation messages and their email. [address]. ”
The commits repository lists a user nickname, “TrustVarios” and an email: “email@example.com. The same group or person probably set up all of the sites, Kirschner explains.
“I think it’s the same threatening actor or group since TTP [tactics, techniques and procedures] are the same, and all the sites were created in a very short period of time using the same host and the same certificate authority, ”he says.
Hosting malware on services like Bitbucket offers at least one temporary benefit: Surface Bitbucket links are often considered legitimate, and attackers have a window of abuse until someone reports a repository. malicious, which must then be removed. The methods help hide a campaign from technical filtering and manual verification, but don’t necessarily scale well, says Kirschner.
A report from the security company Cyber Reason in February 2020 described more than half a dozen information thieves, cryptominers, ransomware, and other malware that bad actors placed on Bitbucket.
“Attackers use Bitbucket to easily update payloads and distribute many types of malware at once,” Cybereason wrote. “In order to evade detection, they have an array of user profiles and continually update their repositories, sometimes as often as every hour.”
Information Security Media Group noticed this kind of exchange behavior this week. On telegramdesktop[dot]org, the link to the malicious Windows file passed within two hours Wednesday morning of being hosted on Bitbucket to another domain, tupdate[dot]report. The latter domain has now been suspended by its host and Bitbucket has removed the malicious binaries.
Second step: AZORult Infostealer
The telegram office[dot]com appears to be on a shared hosting service in Moldova. “The web service claims it takes bitcoin as a payment option, so it appears to be great hosting for criminals,” Kirschner writes.
This domain was registered on December 29, 2020, says Kirschner. But a search on the Internet Archive Return machine shows that around April 2018 telegramdesktop[dot]com redirected to telegram.org, the legitimate domain. In October 2018, however, the domain expired, according to records from DomainTools.
“I guess this domain once belonged to Telegram itself, has expired and has been taken over by criminals now,” Kirschner said.
The malware hosted on the site, TGInstaller.exe, is a .NET executable. After its installation, the second-stage payload is AZORult, a common information thief that appeared about five years ago and first sold on underground Russian forums, according to the security company. Trend Micro.
“AZORult was being used in malicious advertising campaigns targeting a popular VPN service, as well as COVID-19-themed campaigns,” Kirschner writes.
AZORult is designed to steal login credentials, cryptocurrency wallets, Telegram messages, and many items in Google’s Chrome browser, including cookies, autofill information, passwords, and user data. location.
In February 2020, IBM wrote that AZORult was delivered as part of another malicious ad campaign that claimed to offer ProtonVPN, the VPN service developed by Proton Technologies, which created ProtonMail.