The Exaramel hacking tool is a threat, which was spotted in one of the campaigns of the TeleBots hacking group recently. When studying the threat, malware researchers noticed that the Exaramel malware is rather similar to another hacking tool in the arsenal of the TeleBots group called Industroyer. The TeleBots hacking group has been very active in recent years and has made many headlines with its threatening campaigns. Its most famous operation took place in 2015 and involved them, causing a blackout, which had never before been achieved with malware. The TeleBots group also is the one behind the infamous Petya Ransomware, which plagued the Web for a while. The threat would lock the MBR (Master Boot Record) of the hard drive on the targeted system.

Delivered as Secondary Payload

The Exaramel malware is a backdoor Trojan, and it is deployed as a second-stage malware. Another one of the TeleBots group's hacking tools helps the Exaramel threat to be delivered to the host by sneaking it past the security measures on the computer. The first-stage payload, which helps the Exaramel malware to compromise the system, also makes sure to spot any software or tools, which may be linked to malware debugging. If the test results are positive, the attack will be halted. This will make it less likely that malware researchers will get their hands on the Exaramel backdoor and dissect it. If the attack continues, however, the files of the Exaramel backdoor will be injected in the Windows folder. Then, the threat will make sure that a new service called 'wsmprovav' is launched on system startup. This service is described as 'Windows Checked AV,' which is meant to make it seem like a legitimate service and not a part of a malicious operation.


The Windows Registry Key stores all the configurations of the Exaramel malware, which is not a very common technique. The backdoor Trojan is informed about the uploaded files' storage path, proxy details, data regarding the C&C (Command & Control) server, and it enables the threat to carry out a basic Web check. The Exaramel backdoor Trojan is capable of:

  • Executing VBS scripts.
  • Writing files to the local system.
  • Executing software.
  • Uploading files to the storage path previously mentioned.
  • Executing shell commands.

The TeleBots hacking group would often use the Exaramel backdoor Trojan in unison with the CredRaptor and Mimikatz hacking tools. The authors of the Exaramel malware have also developed a version of the threat written in the Go programming language, which allows the hacking tool to target Linux servers and systems.


Most Viewed