Threat Research

Cyble – Fake Telegram Site Delivering RAT Aimed At Chinese Users

Securonix

CRIL researchers uncovered a fake Telegram download site that leads Windows users to a malicious MSI installer, which abuses Windows Defender components to operate a remote-access Trojan. The malware uses DLL side-loading, memory injection, and a C2 channel to drop, persist, and expand its spying capabilities while performing data cleanup and self-uninstall when commanded. Hashtags: #Telegram #MpCmdRun #mpclient.dll #ComSvcInst #Uac.reg #DLLSideLoading

Keypoints

  • A fake Telegram download page redirects users to Telegram’s site for non-Windows platforms but delivers a malicious MSI installer for Windows.
  • Executing the MSI drops a malicious MpCmdRun-based payload that sideloads mpclient.dll and loads shellcode from upgrade.xml for in-memory injection into odbca32.exe.
  • The malware achieves persistence by creating a Windows service (ComSvcInst.exe) that restarts mpclient.dll after reboot.
  • Privilege escalation includes UAC bypass via Uac.reg and SeDebugPrivilege to inject into explorer.exe.
  • It communicates with a C2 server to receive commands and can download additional payloads (e.g., svchost.exe) to extend control.
  • The sample includes cleanup and self-destruct capabilities, such as deleting browser data, Firefox DB files, clearing IE data, and uninstalling traces on command.

MITRE Techniques

  • [T1566] Phishing – The fake Telegram download page lures users into installing a malicious MSI rather than the legitimate app. ‘The fake website redirects users to Telegram’s official website to download applications … However, the fake website downloads a malicious graphical MSI installer when a user selects the application to install on Windows.’
  • [T1204] User Execution – The user executes the malicious MSI to begin installation. ‘After executing the malicious MSI file, an installer window in Chinese is launched to install the application on Windows systems.’
  • [T1543.003] Create or Modify System Process: Windows Service – Persistence via a service, then re-launch after reboot. ‘The malware waits for the command from the Command and Control (C&C) server and performs the following malicious activities: … persistence by creating a service for ComSvcInst.exe, which again starts mpclien.dll after the system reboots.’
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Privilege escalation using Uac.reg to bypass UAC. ‘The malware has the code to execute a .reg file, namely Uac.reg, which will be downloaded from the C&C server. Our research indicates that the malware could have used the Uac.reg file to modify the registry keys to bypass User Access Control (UAC).’
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The legitimate MpCmdRun.exe loads a malicious mpclient.dll. ‘The MpCmdRun.exe is a Windows defender component that usually loads a legitimate file mpclient.dll. In this case, the Threat Actor has replaced the legitimate mpclient.dll with a malicious file.’
  • [T1056.001] Keylogging – The malware monitors applications and performs keylogging. ‘The malware can monitor applications and perform keylogging activity in the victim’s machine. The code snippet that the malware uses to perform keylogging activities is shown below.’
  • [T1071] Command and Control: Application Layer Protocol – C2 communications to receive commands and download payloads. ‘The malware waits for the command from the Command and Control (C&C) server and performs the following malicious activities: … can download additional payloads from the remote server based on the commands received from the C&C server.’

Indicators of Compromise

  • [MD5] Malicious Installer – 492fc768ab51f041a050dc1ed03cb776, 2d4336156fec35bc7389a0b982e0fafc
  • [SHA1] Malicious Installer / mpclient.dll – 7bb583b67957cabe2cb81e8874742b0155eac731, 37980ac1fad099b016438578135d220b96a835ff
  • [SHA256] Malicious Installer / mpclient.dll – 6c948823a0d5de2177f236b94c5e7458b02d5eb5c2198fdc48e533a33df74cbe, 72bb67734bf5f8c51718536e9b5dd9bcd1d70b43860a7736fd83d4e0ac9afdc6
  • [URL] Malicious Download URL – hxxps://telegraac[.]com/supt[.]msi

Read more: https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users/