If the conditions are met, start %TEMP%\\ready.ps1. Start.vbs only infects machines with a ROM capacity greater than 128KB. The script file Action.bat uses powershell to execute remote scripts: hxxp:///new_file.txt, and new_file.txt acts as a downloader to download the other three scripts and execute start.vbs. Action.bat executes the subsequent attack process, and Remove.bat completes self-deleting. Then download the normal Telegram installer from the official Telegram URL: hxxps:///tsetup/tsetup.2.6.1.exe to the directory %LocalAppDta%, and execute the legal installer with the administrator (runas) authority, Complete the original work of the installation package.įinally, create two bat files %TEMP%\\Action.bat and %TEMP%\\Remove.bat, write batch commands and execute scripts. Then visit the URL hxxps://to confirm that the network is available, otherwise continue to wait until the visit response is successful.įor the smooth progress of the attack process, the Trojan disables SmartScreen and UAC by modifying the registry keys such as EnableBalloonTips, EnableSmartScreen, EnableLUA, ConsentPromptBehaviorAdmin, PromptOnSecureDesktop, etc., reducing the system’s defense capabilities and making users unaware of the attack process. If it is, it will exit and self-delete, and if it is not, it will create the file. And in order to avoid repeated infections, the program determines whether the current machine has been infected by confirming the existence of the file %LocalAppData%\\ASUNCB-dcBdklMsBabnDBlU. In addition, the program also has functions such as bypassing the designated IP List and region, and delaying execution of malicious code, but they are not turned on. If it is in the list, it will not be infected. The Trojan masquerading as an installation package will obtain the MAC address of the local machine and match the 13,345 MAC addresses it carries. In order to avoid detection, a large number of sensitive strings in the program are Base64 encoded and decoded at runtime. In order to better disguise itself, the Telegram legal software signature Telegram FZ-LLC was also stolen, but it can be seen from the file attributes that the signature is actually invalid. In this attack, the “installation package” downloaded from the link was written in C# language and disguised as a 32-bit file of the Telegram installer through the program icon. For example, the Trojan horse resource link in this attack. The attention of the personnel, followed by a large number of malicious software is hosted on Discord’s CDN server for remote download of Trojan horses. The number of users has increased year by year, and since the attachments uploaded to Discord can be downloaded by everyone, file sharing and transmission between users are fast and convenient, etc., it also caused cyber crimes. Discord is a popular chat and communication software mainly for gamers. It can be seen from the last resource link that the Trojan is hosted on the Discord CDN server. The download link of the Trojan: hxxps:///2r64b6 (the data shows that the source page of the short link is hxxps:///). After the “installation package” is executed, the legitimate Telegram installation package will be downloaded for installation to cover up the malicious behavior in secret, and reside through the RDP service. In March 2021, 360 Security Center discovered an attack that disguised Telegram installation package.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |