Application abuses Windows Defender Executable to perform DLL Sideloading
During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations. The below figure shows the fake Telegram website.
The fake website redirects users to Telegram’s official website to download applications on non-Windows platforms such as Android, iOS, and macOS. However, the fake website downloads a malicious graphical MSI installer when a user selects the application to install on Windows.
Upon executing the MSI file, it performs DLL side-loading using a genuine MpCmdRun.exe file and sideloads a malicious file mpclient.dll. The MpCmdRun.exe is a Windows defender component that usually loads a legitimate file mpclient.dll. In this case, the Threat Actor has replaced the legitimate mpclient.dll with a malicious file.
The loaded malicious DLL file further reads a file named upgrade.xml, decrypts it, and injects the code into %WINDIR%\System32\odbca32.exe to evade detection.
Technical Analysis
For this analysis, we downloaded the MSI file from the domain hxxps://telegraac[.]com/supt[.]msi. The MSI file has multiple files bundled into it, including Telegram.exe with valid digital signatures and other unusual files such as ComSvcInst.exe and mpclient.dll.
After checking additional information about these files, we identified that the MpCmdRun.exe file was renamed as ComSvcInst.exe to divert attention. A support DLL mpclient.dll for MpCmdRun.exe is present, but we determined it to be malicious.
After executing the malicious MSI file, an installer window in Chinese is launched to install the application on Windows systems. Figure 2 shows the installer window of the fake Telegram desktop application.
During installation, the MSI file drops Telegram.exe in the C:\Program Files (x86)\Telegram\Telegramä¸æ–‡ç‰ˆ folder. This installation folder additionally contains the Windows Defender Plugs folder, which further contains ComSvcInst.exe, mpclient.dll,Upgrade.xml, along with other supportfiles. The figure shows the dropped files.
While installing Telegram, the malicious MSI file executes ComSvcInst.exe from the C:\Program Files (x86)\Telegram\Telegramä¸æ–‡ç‰ˆ\Windows Defender Plugs folder. This executable then sideloads the malicious mpclient.dll to perform further operations.
Upon execution, the mpclient.dll file reads the upgrade.xml file containing Shellcode. Then, the DLL file further loads Shellcode in the memory to inject malicious code into another process. The figure below shows the reading of the file and loading it into memory.
The shellcode further opens odbcad32.exe and injects malicious code into its memory.
The malware then achieves persistence by creating a service for ComSvcInst.exe, which again starts mpclien.dll after the system reboots. The figure below shows the service used to establish persistence.
After injection, the malware waits for the command from the Command and Control (C&C) server and performs the following malicious activities:
The malware can download additional payloads from the remote server based on the commands received from the C&C server. The figure below shows the assembly code that downloads an additional payload named svchost.exe to create a run entry for the malware.
Additionally, the payload has an export function named Shellex() which further copies the payload to the Windows directory and creates a service to establish persistence.
The malware has the code to execute a .reg file, namely Uac.reg, which will be downloaded from the C&C server. Our research indicates that the malware could have used the Uac.reg file to modify the registry keys to bypass User Access Control (UAC).
The malware accesses and reads the other processes’ memory by elevating the permission using the SeDebugPrivilege() method. The malware uses this method to inject malicious code into explorer.exe. The APIs used by the malware for privilege escalation are shown below.
The malware can monitor applications and perform keylogging activity in the victim’s machine. The code snippet that the malware uses to perform keylogging activities is shown below.
The malware has the code to identify RDP port details from victims’ machines to perform brute force attacks. The below image shows the code used by the malware to identify the victim’s RDP port.
The malware contains code to delete sensitive data from applications, including Chrome, Skype, QQBrowser, Sogou Explorer, and 360 Secure browsers. Based on the source code analysis, the malware can perform the following operations to delete the data:
- Enumerate running processes and check if the targeted applications are running, such as chrome.exe, skyop.exe, QQBrowser.exe, SogouExplorer.exe, and 360se6.exe.
- Terminate these applications if they are identified.
- Locate the targeted applications in %appdata% location.
- Delete the sensitive files and directories.
Additionally, the malware has the code to delete all Firefox-related .db files, as shown in the below figure.
The malware clears the victim’s Internet Explorer Browser history by executing an Internet Control Panel File (Inetcpl.cpl), as shown below. The malware performs this operation to clear all the traces before uninstallation. The figure below shows the code to clear the Internet Explorer data.
The malware can uninstall its traces once it receives commands from the C&C server. The below figure shows that the malware terminates itself and deletes its persistence as well.
Conclusion
Phishing attacks are one of the most common techniques used by attackers to initially compromise target systems. While conducting this analysis, we identified that the attackers use genuine Telegram and Windows Defender Antivirus executables, but the associated support libraries are malicious.
These attacks are extremely common; however, in this case, the payload is particularly sophisticated and contains multiple, highly advanced spying capabilities.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
| Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Collection | T1056.001 | Keylogging |
| Collection | T1113 | Screen Capture |
| Command and Control | T1071 | Application Layer Protocol |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 492fc768ab51f041a050dc1ed03cb776 | MD5 | supt.msi (Malicious Installer) |
| 7bb583b67957cabe2cb81e8874742b0155eac731 | SHA1 | supt.msi (Malicious Installer) |
| 6c948823a0d5de2177f236b94c5e7458b02d5eb5c2198fdc48e533a33df74cbe | SHA256 | supt.msi (Malicious Installer) |
| 2d4336156fec35bc7389a0b982e0fafc | MD5 | mpclient.dll (Malicious DLL) |
| 37980ac1fad099b016438578135d220b96a835ff | SHA1 | mpclient.dll (Malicious DLL) |
| 72bb67734bf5f8c51718536e9b5dd9bcd1d70b43860a7736fd83d4e0ac9afdc6 | SHA256 | mpclient.dll (Malicious DLL) |
| hxxps://telegraac[.]com/supt[.]msi | URL | Malicious Download URL |
