Cyble – Fake Telegram Site Delivering RAT Aimed At Chinese Users

Application abuses Windows Defender Executable to perform DLL Sideloading

During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations. The below figure shows the fake Telegram website.

Figure 1 Website Hosting Fake Telegram Download Page
Figure 1 – Website Hosting Fake Telegram Download Page

The fake website redirects users to Telegram’s official website to download applications on non-Windows platforms such as Android, iOS, and macOS. However, the fake website downloads a malicious graphical MSI installer when a user selects the application to install on Windows.

Upon executing the MSI file, it performs DLL side-loading using a genuine MpCmdRun.exe file and sideloads a malicious file mpclient.dll. The MpCmdRun.exe is a Windows defender component that usually loads a legitimate file mpclient.dll. In this case, the Threat Actor has replaced the legitimate mpclient.dll with a malicious file.

The loaded malicious DLL file further reads a file named upgrade.xml, decrypts it, and injects the code into %WINDIR%System32odbca32.exe to evade detection.

Technical Analysis

For this analysis, we downloaded the MSI file from the domain hxxps://telegraac[.]com/supt[.]msi. The MSI file has multiple files bundled into it, including Telegram.exe with valid digital signatures and other unusual files such as ComSvcInst.exe and mpclient.dll.

After checking additional information about these files, we identified that the MpCmdRun.exe file was renamed as ComSvcInst.exe to divert attention. A support DLL mpclient.dll for MpCmdRun.exe is present, but we determined it to be malicious.

After executing the malicious MSI file, an installer window in Chinese is launched to install the application on Windows systems. Figure 2 shows the installer window of the fake Telegram desktop application.

Figure 2 Installer Window for Malicious Telegram Application
Figure 2 – Installer window for malicious Telegram application

During installation, the MSI file drops Telegram.exe in the C:Program Files (x86)TelegramTelegram中文版  folder. This installation folder additionally contains the Windows Defender Plugs folder, which further contains ComSvcInst.exe, mpclient.dll,Upgrade.xml, along with other supportfiles. The figure shows the dropped files.

Figure 3 Files Dropped by the Malicious MSI File
Figure 3 – Files Dropped by the Malicious MSI File

While installing Telegram, the malicious MSI file executes ComSvcInst.exe from the C:Program Files (x86)TelegramTelegram中文版Windows Defender Plugs folder. This executable then sideloads the malicious mpclient.dll to perform further operations.

Upon execution, the mpclient.dll file reads the upgrade.xml file containing Shellcode. Then, the DLL file further loads Shellcode in the memory to inject malicious code into another process. The figure below shows the reading of the file and loading it into memory.

Figure 4 Reading Shellcode and Loading into Memory
Figure 4 – Reading Shellcode and Loading into Memory

The shellcode further opens odbcad32.exe and injects malicious code into its memory.

Figure 5 Process Injection
Figure 5 – Process Injection

The malware then achieves persistence by creating a service for ComSvcInst.exe, which again starts mpclien.dll after the system reboots. The figure below shows the service used to establish persistence.

Figure 6 Malware Creates Service for Persistence
Figure 6 – Malware Creating Service to establish persistence

After injection, the malware waits for the command from the Command and Control (C&C) server and performs the following malicious activities:

The malware can download additional payloads from the remote server based on the commands received from the C&C server. The figure below shows the assembly code that downloads an additional payload named svchost.exe to create a run entry for the malware.

Figure 7 Additional Payload and Run Registry Entry
Figure 7 – Additional Payload and Run Registry Entry

Additionally, the payload has an export function named Shellex() which further copies the payload to the Windows directory and creates a service to establish persistence.

Figure 8 Export Function
Figure 8 – Export Function Shellex()

The malware has the code to execute a .reg file, namely Uac.reg, which will be downloaded from the C&C server. Our research indicates that the malware could have used the Uac.reg file to modify the registry keys to bypass User Access Control (UAC).

Figure 9 UAC Bypass Using Uac.reg
Figure 9 – UAC bypass conducted using Uac.reg

The malware accesses and reads the other processes’ memory by elevating the permission using the SeDebugPrivilege() method. The malware uses this method to inject malicious code into explorer.exe. The APIs used by the malware for privilege escalation are shown below.

Figure 10 Privilege Escalation performed by Malware
Figure 10 – Privilege Escalation performed by Malware

The malware can monitor applications and perform keylogging activity in the victim’s machine. The code snippet that the malware uses to perform keylogging activities is shown below.

Figure 11 Code for Keylogging Activities
Figure 11 – Code for Keylogging Activities

The malware has the code to identify RDP port details from victims’ machines to perform brute force attacks. The below image shows the code used by the malware to identify the victim’s RDP port.

Figure 12 Malware Identifying the RDP Port
Figure 12 – Malware Identifying the victim’s RDP port

The malware contains code to delete sensitive data from applications, including Chrome, Skype, QQBrowser, Sogou Explorer, and 360 Secure browsers. Based on the source code analysis, the malware can perform the following operations to delete the data:

  1. Enumerate running processes and check if the targeted applications are running, such as chrome.exe, skyop.exe, QQBrowser.exe, SogouExplorer.exe, and 360se6.exe.
  2. Terminate these applications if they are identified.
  3. Locate the targeted applications in %appdata% location.
  4. Delete the sensitive files and directories.

Additionally, the malware has the code to delete all Firefox-related .db files, as shown in the below figure.

Figure 13 Code for Deleting Firefox Database
Figure 13 – Code for Deleting Firefox Database

The malware clears the victim’s Internet Explorer Browser history by executing an Internet Control Panel File (Inetcpl.cpl), as shown below. The malware performs this operation to clear all the traces before uninstallation. The figure below shows the code to clear the Internet Explorer data.

Figure 14 Code for clearing Internet Explorer Data
Figure 14 – Code to clear Internet Explorer Data

The malware can uninstall its traces once it receives commands from the C&C server. The below figure shows that the malware terminates itself and deletes its persistence as well.

Figure 15 Code to Self Destruct the Malware
Figure 15 – Malware’s Self-Destruct Code

Conclusion

Phishing attacks are one of the most common techniques used by attackers to initially compromise target systems. While conducting this analysis, we identified that the attackers use genuine Telegram and Windows Defender Antivirus executables, but the associated support libraries are malicious.

These attacks are extremely common; however, in this case, the payload is particularly sophisticated and contains multiple, highly advanced spying capabilities.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Initial Access T1566 Phishing
Execution T1204 User Execution
Persistence T1543.003 Create or Modify System Process: Windows Service
Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Collection T1056.001 Keylogging
Collection T1113 Screen Capture
Command and Control T1071 Application Layer Protocol

Indicators Of Compromise (IOCs)

Indicators Indicator Type Description
492fc768ab51f041a050dc1ed03cb776 MD5 supt.msi (Malicious Installer)
7bb583b67957cabe2cb81e8874742b0155eac731 SHA1 supt.msi (Malicious Installer)
6c948823a0d5de2177f236b94c5e7458b02d5eb5c2198fdc48e533a33df74cbe SHA256 supt.msi (Malicious Installer)
2d4336156fec35bc7389a0b982e0fafc MD5 mpclient.dll (Malicious DLL)
37980ac1fad099b016438578135d220b96a835ff SHA1 mpclient.dll (Malicious DLL)
72bb67734bf5f8c51718536e9b5dd9bcd1d70b43860a7736fd83d4e0ac9afdc6 SHA256 mpclient.dll (Malicious DLL)
hxxps://telegraac[.]com/supt[.]msi URL Malicious Download URL

Source: https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users/