Security

August 09, 2021

6 Minute Read

Threat Advisory: Telegram Crypto Botnet STRT-TA01

The Splunk Threat Research Team (STRT) has detected the resurface of a Crypto Botnet using Telegram, a widely used messaging application that can create bots and execute code remotely. The STRT has identified attacking sources from China and Iranian IP addresses specifically targeting AWS IP address space. The malicious actors behind this botnet specifically target Windows server operating systems with Remote Desktop Protocol.

The attack: Telegram is a popular messaging application with over 500 million users. In January 2021, Telegram was the most downloaded application across iOS and Android. This application also has a desktop version, which can be tied to a mobile account via the Telegram API. This API can be used to execute commands remotely. This is how malicious actors can turn desktop clients of compromised hosts into bots as they can issue commands remotely, download additional tools and payloads.

In a typical attack with Crypto Botnet on Telegram, threat actors first break into Windows Servers and proceed to install several tools found in hacking forums such as NL Brute, KPort Scan and NLA Checker. All these tools target Windows servers with weak passwords using RDP protocol brute force tools. And after the threat actor is able to break in and download further exploitation tools as mentioned above, they will install Telegram Desktop, which is being used as part of the Command and Control Infrastructure and used to drop cryptomining tools such as minergate and xmrig. Both of these binaries are identified as monero (xmr) cryptomining tools.

The STRT was able to identify a monero wallet tied to a previous cryptomining campaign (2018) where similar attack patterns were observed. The STRT has now observed the resurfacing of this botnet using Telegram as C2 Infrastructure.

Indicators

The following graphic shows the attack flow associated with this botnet operation.

First, you’ll see persistence via lsarpc.exe after breaking in via RDP Brute Force in the following graphic.

Then, a self-extracting executable file (sfx) will drop xmrig payload, accompanied by the dropping of update.bat, install.bat, sqlserver.exe (xmrig) and conhost.exe (nssm cli tool). Sqlserver.exe cli is used to perform CPU mining on the compromised machine. A popular XMR mining application, xmrig is frequently used in crypto-driven exploitation campaigns as monero does not need a GPU (Graphics Process Unit) in order to be mined. In the graphic below, the help menu from xmrig executable is shown.

The following graphic shows the file update.bat. This file contains several commands to configure the CPU mining and also removes other malware or coin miner that may be installed on the machine.

The file install.bat contains a big number of actions focused on defense evasion by killing processes, killing services, and adding schedule tasks using IFEO registry, deleting users, disabling users, changing files and folder permissions and killing other malware or active coin miners. This is illustrated in the next graphic.

Previous Campaign

As seen in the above screenshot, in the process of mining setup and connecting to the mining pool, the attacker has to input the wallet hash. STRT was able to verify this wallet has been observed in previous campaigns dating back to 2018.

Wallet: 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQru8uJpHSL1Nh1TTWm

This previous campaign also involved the use of cryptomining payloads and very similar exploitation techniques. The reuse of this wallet may indicate the presence of similar actors behind the observed exploitation campaign.

Telegram Messenger Used as C2 Infrastructure

Throughout the STRT investigation, the executable binary for the Telegram Desktop client was observed, analyze, and compared with versions downloaded from the original site; we found no differences between them. Once the Telegram client is installed it is used as C2 Infrastructure. The following screencaptures show samples of how attackers are using it for botnet building purposes.

This screenshot captures how Telegram is used to enumerate local groups at compromised machines.

In the following screencaptures Telegram is used to download masscan and kport scan.

The above screenshots show how telegram is used to download further exploitation and botnet expansion tools such masscan, kport scan and NLA Checker. These tools are used for internet rapid scanning and NLA checker is a tool used for checking RDP connectivity. The NLA tool needs a python environment in order to execute. The above screenshot also shows how files such as IPs.txt are also downloaded. These files are used for target input of the scanning tools.

In the following screenshot, STRT was able to replicate the use of NLA Checker in the Attack Range Local, this tool allows attackers to quickly input large numbers of IP addresses and determine if they have Remote Desktop Connectivity. The tool outputs those IP Addresses that check for Network Level Authentication (NLA) and those which do not. Notice that enabling NLA in RDP in Windows Operating Systems usually protects against some brute force tools and non-windows RDP clients.

Botnet Infrastructure

STRT found proof of malicious actors targeting AWS IP address space, specifically Windows Servers with RDP enabled. The STRT also found Iranian IP addresses connecting to zombies and several OSSINT items indicating the use of Iranian sites and telegram channels for tool repository and stagers. The following are the malicious domains associated with this botnet.

IP Address: 218.28.249.14

domain004.gleeze.com
test1000.ooguy.com
pc0.zz.ha.cn
test1003.accesscam.org
gamepanel2.theworkpc.com
gamepanel.gleeze.com

Mitigation and Detections

As seen during our research, the best way to prevent these attack vectors is first patching your windows servers and applying the latest security updates. The use of weak passwords is also a big factor in getting your servers compromised. Enabling Network Level Authentication (NLA) can also harden your servers and prevent many hacking tools from attempting to brute force.

The Splunk Threat Research Team has developed an analytic story XMRIG to address this threat. The following detections searches are included:

Name	Technique ID	Tactic(s)	Notes
Deleting of Net Users	T1531	Impact	This search looks for deleting a user account using .net application.
Disable Windows App Hotkeys	T1562.001	Defense Evasion	This search looks for registry events to disable application hotkey to impair windows utility tools like taskmgr, cmd or many more.
Disabling Net User Account	T1531	Impact	This search looks for disabling a user account using net application.
Download Files Using Telegram	T1105	Command and Control	This search looks for downloaded files made by telegram application.
Enumerate Users Local Group Using Telegram	T1087	Discovery	This search looks for enumeration of users in local group using telegram application.
Excessive Attempt to Disable Services	T1489	Impact	This search looks for excessive attempts to disable services within a short period of time.
Excessive Service Stop Attempt	T1489	Impact	This search looks for excessive attempts to stop services within a short period of time.
Excessive Usage of Cacls App	T1222	Defense Evasion	This search looks for excessive usage of icacls/cacls/xcacls application within a short period of time.
Excessive Usage of Net App	T1531	Impact	This search looks for excessive usage of net/net1.exe application within a short period of time.
Excessive Usage of Taskkill	T1562.001	Defense Evasion	This search looks for excessive usage of taskkill application within a short period of time.
Executables or Script Creation in Suspicious Path	T1036	Defense Evasion	This search looks for the creation of executable or scripts in the suspicious file path for execution.
Hide User Account From Sign-In Screen	T1562.001	Defense Evasion	This search looks for registry events to hide user accounts in the sign-in screen.
Icacls Deny Command	T1222	Defense Evasion	This search looks for icacls command line that tries to deny a user permission to a file(s) or folder(s).
Icacls Grant Command	T1222	Defense Evasion	This search looks for icacls command line that tries to grant a user permission to a file(s) or folder(s).
Modify ACL Permission to Files or Folder	T1222	Defense Evasion	This search looks for modification of permission of file(s) or folder(s) to be accessible to everyone or to the system.
Process Kill Base on File Path	T1562.001	Defense Evasion	This search looks for wmic command line to kill process base on its process file path.
Schtasks Run Task on Demand	T1053	Execution, Persistence, Privilege Escalation	This search looks for schtasks command line parameter to run a task on demand.
Suspicious Driver Loaded Path	T1543.003	Persistence, Privilege Escalation	This search looks for driver loaded events where the driver is not in the common driver folder path of Windows OS.
Suspicious Process File Path	T1543	Persistence, Privilege Escalation	This search looks for process creation with suspicious process file paths.
Xmrig Driver Loaded	T1543.003	Persistence, Privilege Escalation	This search looks for xmrig driver loaded as service.
Detect Kportscan3 Install	T1570	Lateral Movement	Detects installation and use of KPortScan3 IP scanning tool.
Detect Masscan Gui Install	T1570	Lateral Movement	Detects installation of Masscan GUI tool, a rapid internet port scanner.
Detect Nl-brute12 Install	T1570	Lateral Movement	Detects installation of NL Brute 1.2, aRDP brute force tool.
Detect Nlachecker Install	T1570	Lateral Movement	Detects Installation of NLAChecker, a tool that detects if Network Level Authentication is enabled in Windows hosts.
Detect Nsexe Ip Scanner Install	T1570	Lateral Movement	Detects NS.EXE IP scanner.

For up-to-date content, please download the latest version of our content at Splunkbase or check out our GitHub.

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Sharing is Not Caring: Hunting for Network Share Discovery

This post offers a practical guide to enhancing detection strategies against network share discovery, a technique often used by threat actors.

Security 8 Min Read

Elevating Security: The Growing Importance of Open Cybersecurity Schema Framework (OCSF)

Splunker Paul Agbabian shares what's new in the Open Cybersecurity Schema Framework (OCSF) and how profiles can augment the natural structure of event classes and categories.

Security 2 Min Read

Hackers are already in your environment – spot them with THOR and Splunk!

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk