How I Contacted Russian Hackers Via Telegram

Furthermore, Tracing Their Geographic Coordinates #

Screen Shot 2023-08-25 at 8.13.07 PM.png

Introducing Botgram, the epitome of innovation in the world of international diplomacy! Because who needs secure channels and established communication protocols when you can have a Windows app to send your messages across the Kremlin? Move over, traditional methods of discreet communication, because Botgram is here to revolutionize the way political intrigue and sensitive information are handled.
Recording 2023-08-28 234543 (2).gif

Oh, as if mere chatting with our buddies wasn’t enough entertainment! We’ve taken it upon ourselves to become the ultimate surveillance overlords using the mystical powers of Thinkst Canary tokens . Why settle for casual conversation when you can become Sherlock Holmes on steroids, tracking our pals and their epic journey back home post a wild vodka weekend at the local dive?

Screen Shot 2023-08-28 at 2.00.44 PM.png

I am not releasing the code or binary for Botgram because it contains vital information about the inner workings of the trojan. If I were to do so, it would likely lead to malware authors upgrading their codebase, rendering security tools ineffective, and thus jeopardizing many innocent users to infection. However, if you want the tool, you can direct message me on Twitter. If the request comes from a trusted party, I would be more inclined to share it. #

Technical Details #

The attribution of malware authors is a challenge that cybersecurity experts navigate with painstaking precision. Unmasking the individuals or groups behind malicious code involves a complex blend of digital forensics, behavioral analysis, and geopolitical awareness.

Malware authors adeptly cloak themselves within intricate networks, evading conventional detection methods and perpetually eluding the grasp of those seeking to trace their elusive digital footprints. Often times it requires way more technical mastery to track them via attribution , code similarity and threat intelligence .

We can think of attack surface discovery in this case; essentially, this is not a defensive method. Uncovering the attacker itself is an offense.

In this realm of attack surface, we need a way to:

An interesting code I observed while reversing the Tofsee botnet is where it registers an exception handler using SetUnhandledExceptionFilter(). By using the SetUnhandledExceptionFilter function, malware developers can provide their own custom exception handler function, which will be called when an unhandled exception occurs – essentially a crash. Let’s try to see how the data for the crash is collected.

carbon (2).png

A plethora of information regarding the crash is collected here. Information is segregated with a key-value pair. Reversing the above-mentioned code gives a clear understanding of each parameter and its subsequent meaning.


Screen Shot 2023-08-25 at 11.49.05 PM.png

This packet is stored in Inmemory Config DB of tofsee and is defined in the memory as

carbon (9).png

This data is stored in localcfg config store with a name except_info

Screen Shot 2023-08-17 at 8.14.09 PM.png

And while cross-referencing this name, if it happens to be used at one more location in the binary, perhaps in the place where the crash data is uploaded back to the botnet C2.

Screen Shot 2023-08-17 at 9.02.50 PM.png

Explaining the custom Tofsee protocol would be quite lengthy for this blog; therefore, we’ll focus solely on the relevant information. The information request packet received from the C2 back to the infected host is referred to as the OP1_REQUEST. It’s identified by operation number 1.

OP1 is a request from the C2 to gather information either from the main loader or any plugin. This is determined by MainMod_opTypeMask or Plugin_opTypeMask.

struct InfoRequest_op4
{
    int MainMod_opTypeMask;
    int Plugin_opTypeMask;
    int UK[3];
};

Looking at the binary, we immediately notice that MainMod_opTypeMask is compared against various binary masks. Each of these masks represents a request for information that the botnet initiates. The full list of MainMod_opTypeMask includes the following request types:

carbon (5).png

Screen Shot 2023-08-17 at 10.05.36 PM.png

So, if the 9th bit is set as 0b100000000, then we proceed to construct a packet. This packet is then encrypted using the Tofsee algorithm and subsequently sent back to the C2 server. The packet follows the structure outlined below, ensuring that the message is successfully transmitted:
carbon (6).png

Instead of sending a text message, we can include a link in the message. This link would be displayed in the web console of the bot owner. The bot owner might click on it – in my case, the bot owner actually did click on it. The service I used was CanaryTokens, which generates a unique link. If this link is visited, it sends a notification via email, including metadata about the person who clicked on the link, such as their IP address, location, user agent, etc.

Screen Shot 2023-08-29 at 12.35.45 AM.png

 
7
Kudos
 
7
Kudos

Now read this

Understanding Neverquest Banking Trojan Polymorphic Engine

Neverquest packer uses polymorphic engine and junk code in its important subroutines. By using polymorphic engine to some extent static signature rules will fail. For example you can see the difference in between two main decoding... Continue →