# The rise of TeleBots: Analyzing disruptive KillDisk attacks **welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks** December 13, 2016 ESET's Anton Cherepanov analyzes the work of TeleBots, a malicious toolset that was used in focused cyberattacks against targets in Ukraine's financial sector. [Anton Cherepanov](https://www.welivesecurity.com/author/acherepanov/) 13 Dec 2016 - 06:00PM ESET’s Anton Cherepanov analyzes the work of TeleBots, a malicious toolset that was used in focused cyberattacks against targets in Ukraine’s financial sector. In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector. We believe that the main goal of attackers using these tools is cybersabotage. This blog post outlines the details about the campaign that we discovered. ----- e e e to t e ga g be d t e a a e as e e ots o e e t s po ta t to say t at t ese attac e s, a d t e too set used, s a e a [number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) [January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.](http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/) ## Infection vector As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don’t have any content with social engineering directing potential victims to click an Enable Content button. It seems that the attackers are depending on the victims to decide entirely on their own whether to click it or not. Figure 1: One example of a malicious XLS document used in the spear phishing attack. Figure 1: One example of a malicious XLS document used in the spearphishing attack. Usually, the malicious documents don’t contain meaningful information in the metadata, but this time the metadata of the document contains the nickname of the person who is responsible for its modification. Moreover, this nickname matches that of an individual who is actively communicating within a Russian-speaking community of cybercriminals. However, we should say that it is possible that this was intended deceptively as a false flag or a coincidence. ----- gu e etadata e ea s at might be the attacker's nickname. Figure 2: Metadata reveals what might be the attacker’s nickname. Once a victim clicks on the Enable Content button, Excel executes the malicious macro. Our analysis shows that the code of the macro used in TeleBots documents matches the macro code that was used by the BlackEnergy group in 2015. Figure 3 illustrates these similarities. The main purpose of the macro is to drop a malicious binary using the explorer.exe filename and then to execute it. The dropped binary belongs to a trojan downloader family, its main purpose being to download and execute another piece of malware. This trojan downloader is [written in the Rust programming language.](https://en.wikipedia.org/wiki/Rust_(programming_language)) It should be noted that during the first stages of the attack, the TeleBots group abuse various legitimate servers in order to hide malicious activity in the network. For example, the trojan downloader fetches data from a hardcoded URL that points to a text file on the putdrive.com service (which allows anyone to upload and share files online). The text file that is hosted on the online service is a final payload, encoded using the Base64 algorithm. [The final payload is a backdoor written in Python and detected as the Python/TeleBot.AA trojan. This backdoor is the main piece of malware](http://www.virusradar.com/en/Python_TeleBot.AA/description) used by these attackers, which is why we’ve named the TeleBots group as such. Figure 3: Similarities between malicious macro code used by BlackEnergy and TeleBots. Figure 3: Similarities between malicious macro code used by BlackEnergy and TeleBots. ## Python/TeleBot.AA backdoor [In January 2016 we published our analysis of a spearphishing attack against energy companies in Ukraine. That attack probably has a](http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/) connection to the infamous BlackEnergy attacks in 2015 because the attackers used exactly the same mail server to send spearphishing messages. However, the attacks in January 2016 were different. Instead of using the BlackEnergy malware family, the attackers used a relatively simple open-source backdoor, written in the Python programming language, called GCat. The Python code of the GCat backdoor [was obfuscated, then converted into a stand-alone executable using the PyInstaller program.](http://www.pyinstaller.org/) The Python/TeleBot malware uses exactly the same approach; the Python backdoor code is obfuscated and packed into a standalone executable using PyInstaller. In addition, the Python code is ROT13 encoded, AES encrypted, compressed using zlib library and then Base64 encoded. ----- ut at ea y a es t s bac doo te est g s t e ay c t co u cates t attac e s o de to ece e co a ds [Python/TeleBot abuses the Telegram Bot API from](https://core.telegram.org/bots/api) [Telegram Messenger to communicate with the attackers. The Telegram Bot API is based](https://telegram.org/) on HTTP and to a network administrator within a compromised network, the communication between the infected computer and the attackers will look like HTTP(S) communication with a legitimate server, specifically api.telegram.org. We have informed Telegram of this abuse of their communication platform. Figure 4: The Python/TeleBot.AA malware code that uses Telegram Bot API. Figure 4: The Python/TeleBot.AA malware code that uses Telegram Bot API. Each of the samples we discovered has a unique token embedded in its code, which means that each sample uses its own Telegram Messenger account. Python/TeleBot uses private chats for communicating with the cybercriminals. This scheme allows the control of infected computers through any device with Telegram Messenger installed, even from a smartphone, just by issuing commands via chat. The Python/TeleBot malware has support for following commands: **Command** **Purpose** cmd|| %shellcmd% Executes shell command and sends result in chat cmdd|| %shellcmd% Executes shell command but does not send result in chat getphoto|| %path% Uploads picture from infected computer to chat getdoc|| %path% Uploads any type of file up to 50 MB in size to chat forcecheckin|| %random% Collects Windows version, platform (x64 or x86), current privileges time|| %seconds% Changes interval between execution of commands ss|| Captures screenshot (not implemented) In addition, the malware automatically saves all incoming files from the attacker to its own folder. By this means, attackers can push additional malicious tools to an infected computer. During our research, we were able to find a Telegram account belonging to one of the attackers. ----- gu e 5 o e o o e o t e attac e s Telegram Messenger. Figure 5: Profile of one of the attackers in Telegram Messenger. It should be noted that the Telegram Bot API was not the only legitimate protocol that was used by these attackers. We have seen at least one sample of this backdoor that uses an outlook.com mailbox as C&C. ## Password stealing malicious tools After successful compromise of the network, attackers use various malicious tools in order to collect passwords, allowing them to subsequently perform a lateral movement within the compromised LAN. A string, that contains a PDB-path to debug symbols, suggests one such tool was named CredRaptor by the attackers. This tool collects saved passwords from various browsers such as Google Chrome, Internet Explorer, Mozilla Firefox, and Opera. Figure 6: PDB-Path reveals the name of the password stealer. Figure 6: PDB-Path reveals the name of the password stealer. ----- e attac e s a e us g a too t a e p a p d o de to du p do s c ede t a s o e o y s too s a s g t y od ed e s o of the open-source project mimikatz. In addition to plainpwd and CredRaptor the toolkit includes a keylogger. The keylogger uses a standard technique to capture keystrokes, specifically the SetWindowsHookEx function. In order to also sniff passwords in network traffic, the attackers use a console version of Interceptor-NG. Since it requires WinPcap drivers to be installed, the attackers made a custom tool to install them silently. Figure 7: Intercepter-NG password sniffing tool. Figure 7: Intercepter-NG password sniffing tool. The combined use of all these tools allows attackers to gain a foothold in a compromised network, with the objective of gaining full control by obtaining domain administrator privileges. ## LDAP query tool Another interesting discovery was a tool that was used during attacks to make queries to Active Directory using LDAP. This tool is able to dump detailed information about computers and usernames listed in Active Directory, and is tailored for a specific victim’s domain. ----- gu e 8 sasse b ed code o t e ta o ed que y too Figure 8: Disassembled code of the tailored LDAP query tool. ## Additional backdoor Further research revealed that the attackers deployed additional backdoors in order to regain access to the compromised network, should their main Python/TeleBot backdoor be discovered and removed. This additional backdoor is written in VBS and some samples we discovered were packaged using the script2exe program. ----- gu e 9 Sou ce code o add t o a bac doo tte S Figure 9: Source code of additional backdoor written in VBS. There are several samples of this VBS backdoor, but all of them have pretty straightforward functionality. The backdoor sends the computer name and MAC address of the computer executing it to its C&C server using HTTP. The variable timeout defines the period of time in minutes between calls to the server. The server can push additional commands for execution. Here is a list of supported commands: **Command** **Purpose** !cmd Executes shell command and sends results back to the server !cmdd Executes shell command but does not send result back to the server !dump DecodesBase64 data and saves it to %TEMP% folder ----- **Command** **Purpose** !timeout Defines a new timeout between calls to server !bye Quits !kill Quits and deletes itself !up Uploads file from agent computer to C&C server ## BCS-server The attackers also used a malicious tool that they named BCS-server. This tool allows them to open a tunnel into an internal network and then this tunnel can be used to send and receive data between the C&C server and even non-infected computers in the network. The main [idea of this tool is based on the same principles as the XTUNNEL malware used by the Sednit group.](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf#36) During our analysis we discovered that the attackers used a guide for this specific tool. Interestingly, the guide was written in Russian. Figure 10: Guide for BCS-server in Russian. Figure 10: Guide for BCS-server in Russian. The guide in Russian can be roughly translated as: _Parameters_ _-saddr – address of BCS server_ _-hport – port of a host, which we did setup on the server, this how we bypass firewall_ _Examples:_ _phost_win.exe –saddr=10.10.10.10 –hport=80_ _Debug versions:_ _phost_cnv.exe – console version_ _phost_win_log.exe – version that logs to file_ So attackers specify an external C&C server in the command line and the tool connects to this server using HTTP. This remote server is used as a proxy by attackers: the connection that goes to this server is redirected to the internal network by the tool and any response that the tool gets from a computer in the internal network goes to the C&C server. Thus, attackers can communicate with internal servers that are normally unreachable from the internet. The communication traffic between the BCS-server tool and the C&C server is base64 encoded and encapsulated in HTML tags. ----- gu e e captu ed a ds a e o CS se e too a d C&C server. Figure 11: The captured handshake of BCS-server tool and C&C server. ## KillDisk The KillDisk is a destructive component that is used by these attackers as the final stage of an attack. Previous versions of this component [were used in attacks against media companies in November 2015 and against power grid companies in Ukraine in December 2015.](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) KillDisk is designed to run with high privileges, this time it registers itself as a service under Plug-And-Play Support name. Since at the final stage attackers have probably collected network administrator level credentials, that’s why they are using Microsoft PsExec in order to execute KillDisk with the highest possible privileges on servers and workstations. The attackers may specify an activation date of KillDisk via the command line. However, one of the samples had a predefined activation time that is set to 9:30am, 6 December 2016. There are improvements in the code, however the main idea of KillDisk hasn’t change so much – it deletes important system files and makes computer unbootable. Beside that it also overwrites files with specific file extensions – those defined by the malware authors in this version of KillDisk are: .kdbx .bak .back .dr .bkf .cfg .fdb .mdb .accdb .gdb .wdb .csv .sdf .myd .dbf .sql .edb .mdf .ib .db3 .db4 .accdc .mdbx .sl3 .sqlite3 .nsn .dbc .dbx .sdb .ibz .sqlite .pyc .dwg .3ds .ai .conf .my .ost .pst .mkv .mp3 .wav .oda .sh .py .ps .ps1 .php .aspx .asp .rb .js .git .mdf .pdf .djvu .doc .docx .xls .xlsx .jar .ppt .pptx .rtf .vsd .vsdx .jpeg .jpg .png .tiff .msi .zip .rar .7z .tar .gz .eml .mail .ml .ova .vmdk .vhd .vmem .vdi .vhdx .vmx .ovf .vmc .vmfx .vmxf .hdd .vbox .vcb .vmsd .vfd .pvi .hdd .bin .avhd .vsv .iso .nrg .disk .hdd .pmf .vmdk .xvd The KillDisk malware may create new, small files instead of deleted ones with the exact same filename and these new files will contain one of [two strings mrR0b07 or fS0cie7y instead of the original content. This is not the only reference to the Mr. Robot TV show, in addition this](http://www.welivesecurity.com/2016/07/23/researching-mr-robot-elliots-world-cybersecurity-comic-con/) KillDisk variant displays the picture that is illustrated in Figure 12. ----- gu e ctu e d sp ayed by s co po e t Figure 12: Picture displayed by KillDisk component. Interestingly, the KillDisk malware does not store this picture anywhere: rather it has code that draws this picture in real-time using the Windows GDI. It looks like attackers put a lot of effort just to make the code that draws this picture. ## Conclusion The cybercriminals behind these targeted attacks demonstrate serious intention to conduct cybersabotage attacks. To be able to mount such attacks, they are constantly inventing new malware and techniques, such as the use of the Telegram Bot API instead of a more conventional C&C server for example. _Special thanks to David Gabris for help with the analysis._ ## Indicators of Compromise (IoC) TeleBots IoCs are also available on ESET’s [GitHub repository.](https://github.com/eset/malware-ioc/tree/master/telebots) **ESET detection names:** ----- / oja oppe ge t S t oja Win32/TrojanDownloader.Agent.CWY trojan Python/TeleBot.AA trojan Python/Agent.Q trojan Python/Agent.AE trojan Python/Agent.AD trojan VBS/Agent.AQ trojan VBS/Agent.AO trojan VBS/Agent.AP trojan Win32/HackTool.NetHacker.N trojan Win32/HackTool.NetHacker.O trojan Win32/PSW.Agent.OCO trojan Win64/Riskware.Mimikatz.H application Win32/RiskWare.Mimikatz.I application Win32/PSW.Delf.OQU trojan Win32/PSW.Agent.OCP trojan Win64/Spy.KeyLogger.G trojan Win32/KillDisk.NBH trojan Win32/KillDisk.NBI trojan **C&C Servers:** 93.190.137.212 95.141.37.3 80.233.134.147 **Legitimate servers abused by malware authors:** srv70.putdrive.com (IP: 188.165.14.185) api.telegram.org (IP: 149.154.167.200, 149.154.167.197, 149.154.167.198, 149.154.167.199) smtp-mail.outlook.com (IP: 65.55.176.126) **XLS documents with malicious macro SHA-1:** 7FC462F1734C09D8D70C6779A4F1A3E6E2A9CC9F C361A06E51D2E2CD560F43D4CC9DABE765536179 **Win32/TrojanDownloader.Agent.CWY SHA-1:** F1BF54186C2C64CD104755F247867238C8472504 **Python/TeleBot.AA backdoor SHA-1:** 16C206D9CFD4C82D6652AFB1EEBB589A927B041B 1DC1660677A41B6622B795A1EB5AA5E5118D8F18 26DA35564D04BB308D57F645F353D1DE1FB76677 30D2DA7CAF740BAAA8A1300EE48220B3043A327D 385F26D29B46FF55C5F4D6BBFD3DA12EB5C33ED7 4D5023F9F9D0BA7A7328A8EE341DBBCA244F72C5 57DAD9CDA501BC8F1D0496EF010146D9A1D3734F 68377A993E5A85EB39ADED400755A22EB7273CA0 77D7EA627F645219CF6B8454459BAEF1E5192467 7B87AD4A25E80000FF1011B51F03E48E8EA6C23D 7C822F0FDB5EC14DD335CBE0238448C14015F495 86ABBF8A4CF9828381DDE9FD09E55446E7533E78 9512A8280214674E6B16B07BE281BB9F0255004B B2E9D964C304FC91DCAF39FF44E3C38132C94655 FE4C1C6B3D8FDC9E562C57849E8094393075BC93 **VBS backdoors SHA-1:** F00F632749418B2B75CA9ECE73A02C485621C3B4 06E1F816CBAF45BD6EE55F74F0261A674E805F86 35D71DE3E665CF9D6A685AE02C3876B7D56B1687 F22CEA7BC080E712E85549848D35E7D5908D9B49 C473CCB92581A803C1F1540BE2193BC8B9599BFE ----- **CS se** **e S** 4B692E2597683354E106DFB9B90677C9311972A1 BF3CB98DC668E455188EBB4C311BD19CD9F46667 **Modified Mimikatz SHA-1:** B0BA3405BB2B0FA5BA34B57C2CC7E5C184D86991 AD2D3D00C7573733B70D9780AE3B89EEB8C62C76 D8614BC1D428EBABCCBFAE76A81037FF908A8F79 **LDAP query tool SHA-1:** 81F73C76FBF4AB3487D5E6E8629E83C0568DE713 **CredRaptor password stealer SHA-1:** FFFC20567DA4656059860ED06C53FD4E5AD664C2 58A45EF055B287BAD7B81033E17446EE6B682E2D **Win64/Spy.KeyLogger.G trojan SHA-1:** 7582DE9E93E2F35F9A63B59317EBA48846EEA4C7 **Intercepter-NG and silent WinPCAP installer SHA-1:** 64CB897ACC37E12E4F49C4DA4DFAD606B3976225 A0B9A35675153F4933C3E55418B6566E1A5DBF8A **Win32/KillDisk SHA-1:** 71A2B3F48828E4552637FA9753F0324B7146F3AF 8EB8527562DDA552FC6B8827C0EBF50968848F1A 13 Dec 2016 - 06:00PM ### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center Newsletter Similar Articles ----- [TeleBots](https://www.welivesecurity.com/category/telebots/) **[TeleBots are back: Supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/)** ### Discussion -----