How I Contacted Russian Hackers Via Telegram
Furthermore, Tracing Their Geographic Coordinates #
Introducing Botgram, the epitome of innovation in the world of international diplomacy! Because who needs secure channels and established communication protocols when you can have a Windows app to send your messages across the Kremlin? Move over, traditional methods of discreet communication, because Botgram is here to revolutionize the way political intrigue and sensitive information are handled.
Oh, as if mere chatting with our buddies wasn’t enough entertainment! We’ve taken it upon ourselves to become the ultimate surveillance overlords using the mystical powers of Thinkst Canary tokens . Why settle for casual conversation when you can become Sherlock Holmes on steroids, tracking our pals and their epic journey back home post a wild vodka weekend at the local dive?
I am not releasing the code or binary for Botgram because it contains vital information about the inner workings of the trojan. If I were to do so, it would likely lead to malware authors upgrading their codebase, rendering security tools ineffective, and thus jeopardizing many innocent users to infection. However, if you want the tool, you can direct message me on Twitter. If the request comes from a trusted party, I would be more inclined to share it. #
Technical Details #
The attribution of malware authors is a challenge that cybersecurity experts navigate with painstaking precision. Unmasking the individuals or groups behind malicious code involves a complex blend of digital forensics, behavioral analysis, and geopolitical awareness.
Malware authors adeptly cloak themselves within intricate networks, evading conventional detection methods and perpetually eluding the grasp of those seeking to trace their elusive digital footprints. Often times it requires way more technical mastery to track them via attribution , code similarity and threat intelligence .
We can think of attack surface discovery in this case; essentially, this is not a defensive method. Uncovering the attacker itself is an offense.
In this realm of attack surface, we need a way to:
- Find areas in the binary code where data is uploaded to the C2 server.
- This data must be critical and must force the malware author to examine it.
An interesting code I observed while reversing the Tofsee botnet is where it registers an exception handler using SetUnhandledExceptionFilter()
. By using the SetUnhandledExceptionFilter
function, malware developers can provide their own custom exception handler function, which will be called when an unhandled exception occurs – essentially a crash. Let’s try to see how the data for the crash is collected.
A plethora of information regarding the crash is collected here. Information is segregated with a key-value pair. Reversing the above-mentioned code gives a clear understanding of each parameter and its subsequent meaning.
This packet is stored in Inmemory Config DB of tofsee and is defined in the memory as
This data is stored in localcfg
config store with a name except_info
And while cross-referencing this name, if it happens to be used at one more location in the binary, perhaps in the place where the crash data is uploaded back to the botnet C2.
Explaining the custom Tofsee protocol would be quite lengthy for this blog; therefore, we’ll focus solely on the relevant information. The information request packet received from the C2 back to the infected host is referred to as the OP1_REQUEST
. It’s identified by operation number 1.
OP1
is a request from the C2 to gather information either from the main loader or any plugin. This is determined by MainMod_opTypeMask
or Plugin_opTypeMask
.
struct InfoRequest_op4
{
int MainMod_opTypeMask;
int Plugin_opTypeMask;
int UK[3];
};
Looking at the binary, we immediately notice that MainMod_opTypeMask
is compared against various binary masks. Each of these masks represents a request for information that the botnet initiates. The full list of MainMod_opTypeMask
includes the following request types:
- 0x01 – plugin metadata
- 0x04 – Send circular Config
- 0x40 – Send Debug log
- 0x80 – Send ver=%d lid=%d.win=%X/%d sid=%s.rep=%s
- 0x100 – Send Exception info ( crash info )
- 0x400 – Send Binary file Info
- 0x100 - Send Exception info (crash info): This request type stands out distinctly. To reach this specific code branch, the 9th bit of
MainMod_opTypeMask
must be set based on the request received from the C2 server.
So, if the 9th bit is set as 0b100000000
, then we proceed to construct a packet. This packet is then encrypted using the Tofsee algorithm and subsequently sent back to the C2 server. The packet follows the structure outlined below, ensuring that the message is successfully transmitted:
Instead of sending a text message, we can include a link in the message. This link would be displayed in the web console of the bot owner. The bot owner might click on it – in my case, the bot owner actually did click on it. The service I used was CanaryTokens, which generates a unique link. If this link is visited, it sends a notification via email, including metadata about the person who clicked on the link, such as their IP address, location, user agent, etc.