TeleStealer

CCD Lab Link

Question 1

Malicious software frequently employs diverse methods to hide its presence and avoid detection. What packing tool was utilized to obfuscate this malware?

For this question, we can use Detect It Easy (DIE) to quickly identify whether the malware is packed and if so what is used for packing.

Question 2

Since the malware author used multiple techniques to hide its functions, where does the malware place the second stage?

We will have to do some dynamic analysis to find out.

Once ProcMon has been started, we can execute telestealer.exe and go through what the malicious process is doing behind the scenes. By looking at the process tree in ProcMon, we can see that PowerShell was spawned under the malicious process.

The full command is powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Administrator\AppData\Roaming\Dropper\script.ps1"

Question 3

Looking into how the malware persist on the machine, what's the path of the registry key it uses to do this?

Within ProcMon, we can look at the registry items which telestealer.exe interacted with. In this case, we will specifically look for RegSetValue events.

Question 4

We've noticed unusual network traffic in recent days since the discovery of the malware. We need to determine what data it might have sent out. What's the path of the exfiltrated data?

As we now know the malware runs a PowerShell script, we can look further into the script and uncover the answer. It appears that this malware is collecting every file on the Desktop and archiving them into a zip file to be exfiltrated.

Question 5

You've verified that the malware is gathering sensitive data from compromised machines. It mainly uses a separate communication channel to send out the data. What is the full domain the malware use to exfiltrate the data?

Using Wireshark, we can look for unusual DNS requests or HTTP requests when the malware is running to determine related outbound connections. In this case, it appears the malware is attempting to establish connections with Telegram.

Question 6

Once the channel is recognized, the next step is to determine who is receiving the exfiltrated data. Utilizing Python and the hosts file, can you determine the username of the recipient?

Unfortunately, this lab does not have an internet connection. Hence, we will be setting up our own HTTP web server to listening for HTTP requests. In order to do so, we will have to update our local DNS records in C:\Windows\System32\drivers\etc\hosts to resolve api.telegram.org to our loopback address.

Then, we will start up our own web server by using the following command in Command Prompt: python -m http.server 80.

Once we run the malware again, we will be able to grab the HTTP requests that are being sent to api.telegram.org.

A quick look at Telegram's API documentation will reveal that the recipient name (a bot in this case) will be listed as https://api.telegram.org/bot<token>/METHOD_NAME. The question is a bit confusing as it isn't actually a username. Instead, it's the telegram bot's name.