Cyble-Fake-Telegram-China

Fake Telegram site delivering RAT aimed at Chinese Users

Application abuses Windows Defender Executable to perform DLL Sideloading

During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations. The below figure shows the fake Telegram website.

Figure 1 – Website Hosting Fake Telegram Download Page

The fake website redirects users to Telegram’s official website to download applications on non-Windows platforms such as Android, iOS, and macOS. However, the fake website downloads a malicious graphical MSI installer when a user selects the application to install on Windows.

Upon executing the MSI file, it performs DLL side-loading using a genuine MpCmdRun.exe file and sideloads a malicious file mpclient.dll. The MpCmdRun.exe is a Windows defender component that usually loads a legitimate file mpclient.dll. In this case, the Threat Actor has replaced the legitimate mpclient.dll with a malicious file.

The loaded malicious DLL file further reads a file named upgrade.xml, decrypts it, and injects the code into %WINDIR%\System32\odbca32.exe to evade detection.

Technical Analysis

For this analysis, we downloaded the MSI file from the domain hxxps://telegraac[.]com/supt[.]msi. The MSI file has multiple files bundled into it, including Telegram.exe with valid digital signatures and other unusual files such as ComSvcInst.exe and mpclient.dll.

After checking additional information about these files, we identified that the MpCmdRun.exe file was renamed as ComSvcInst.exe to divert attention. A support DLL mpclient.dll for MpCmdRun.exe is present, but we determined it to be malicious.

After executing the malicious MSI file, an installer window in Chinese is launched to install the application on Windows systems. Figure 2 shows the installer window of the fake Telegram desktop application.

Figure 2 – Installer window for malicious Telegram application

During installation, the MSI file drops Telegram.exe in the C:\Program Files (x86)\Telegram\Telegram中文版  folder. This installation folder additionally contains the Windows Defender Plugs folder, which further contains ComSvcInst.exe, mpclient.dll,Upgrade.xml, along with other supportfiles. The figure shows the dropped files.

Figure 3 – Files Dropped by the Malicious MSI File

While installing Telegram, the malicious MSI file executes ComSvcInst.exe from the C:\Program Files (x86)\Telegram\Telegram中文版\Windows Defender Plugs folder. This executable then sideloads the malicious mpclient.dll to perform further operations.

Upon execution, the mpclient.dll file reads the upgrade.xml file containing Shellcode. Then, the DLL file further loads Shellcode in the memory to inject malicious code into another process. The figure below shows the reading of the file and loading it into memory.

Figure 4 – Reading Shellcode and Loading into Memory

The shellcode further opens odbcad32.exe and injects malicious code into its memory.

Figure 5 – Process Injection

The malware then achieves persistence by creating a service for ComSvcInst.exe, which again starts mpclien.dll after the system reboots. The figure below shows the service used to establish persistence.

Figure 6 – Malware Creating Service to establish persistence

After injection, the malware waits for the command from the Command and Control (C&C) server and performs the following malicious activities:

The malware can download additional payloads from the remote server based on the commands received from the C&C server. The figure below shows the assembly code that downloads an additional payload named svchost.exe to create a run entry for the malware.

Figure 7 – Additional Payload and Run Registry Entry

Additionally, the payload has an export function named Shellex() which further copies the payload to the Windows directory and creates a service to establish persistence.

Figure 8 – Export Function Shellex()

The malware has the code to execute a .reg file, namely Uac.reg, which will be downloaded from the C&C server. Our research indicates that the malware could have used the Uac.reg file to modify the registry keys to bypass User Access Control (UAC).

Figure 9 – UAC bypass conducted using Uac.reg

The malware accesses and reads the other processes’ memory by elevating the permission using the SeDebugPrivilege() method. The malware uses this method to inject malicious code into explorer.exe. The APIs used by the malware for privilege escalation are shown below.

Figure 10 – Privilege Escalation performed by Malware

The malware can monitor applications and perform keylogging activity in the victim’s machine. The code snippet that the malware uses to perform keylogging activities is shown below.

Figure 11 – Code for Keylogging Activities

The malware has the code to identify RDP port details from victims’ machines to perform brute force attacks. The below image shows the code used by the malware to identify the victim’s RDP port.

Figure 12 – Malware Identifying the victim’s RDP port

The malware contains code to delete sensitive data from applications, including Chrome, Skype, QQBrowser, Sogou Explorer, and 360 Secure browsers. Based on the source code analysis, the malware can perform the following operations to delete the data:

  1. Enumerate running processes and check if the targeted applications are running, such as chrome.exe, skyop.exe, QQBrowser.exe, SogouExplorer.exe, and 360se6.exe.
  2. Terminate these applications if they are identified.
  3. Locate the targeted applications in %appdata% location.
  4. Delete the sensitive files and directories.

Additionally, the malware has the code to delete all Firefox-related .db files, as shown in the below figure.

Figure 13 – Code for Deleting Firefox Database

The malware clears the victim’s Internet Explorer Browser history by executing an Internet Control Panel File (Inetcpl.cpl), as shown below. The malware performs this operation to clear all the traces before uninstallation. The figure below shows the code to clear the Internet Explorer data.

Figure 14 – Code to clear Internet Explorer Data

The malware can uninstall its traces once it receives commands from the C&C server. The below figure shows that the malware terminates itself and deletes its persistence as well.

Figure 15 – Malware’s Self-Destruct Code

Conclusion

Phishing attacks are one of the most common techniques used by attackers to initially compromise target systems. While conducting this analysis, we identified that the attackers use genuine Telegram and Windows Defender Antivirus executables, but the associated support libraries are malicious.

These attacks are extremely common; however, in this case, the payload is particularly sophisticated and contains multiple, highly advanced spying capabilities.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204User Execution
PersistenceT1543.003Create or Modify System Process: Windows Service
Privilege EscalationT1548.002Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1574.002Hijack Execution Flow: DLL Side-Loading
CollectionT1056.001Keylogging
CollectionT1113Screen Capture
Command and ControlT1071Application Layer Protocol

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
492fc768ab51f041a050dc1ed03cb776MD5supt.msi (Malicious Installer)
7bb583b67957cabe2cb81e8874742b0155eac731SHA1supt.msi (Malicious Installer)
6c948823a0d5de2177f236b94c5e7458b02d5eb5c2198fdc48e533a33df74cbeSHA256supt.msi (Malicious Installer)
2d4336156fec35bc7389a0b982e0fafcMD5mpclient.dll (Malicious DLL)
37980ac1fad099b016438578135d220b96a835ffSHA1mpclient.dll (Malicious DLL)
72bb67734bf5f8c51718536e9b5dd9bcd1d70b43860a7736fd83d4e0ac9afdc6SHA256mpclient.dll (Malicious DLL)
hxxps://telegraac[.]com/supt[.]msiURLMalicious Download URL
Scroll to Top