A remote access trojan called TelegramRAT has been spotted, which uses the Telegram Messenger application for its command and control, and Dropbox for its payload host.
According to Netskope Threat Research Labs, this approach helps the RAT to successfully dupe defenses.
“TelegramRAT offers another unfortunate instance of attackers recognizing that the cloud can be leveraged to evade many traditional security scanners,” said Netskope researcher Umesh Wanve, in a blog. “By making itself cloud-native, TelegramRAT uses one cloud application for its payload host, and another for its C&C operation. This cloud application splicing offers resilience to the attack, and requires security scanners to be able to discern cloud application instances, and to inspect SSL traffic to be effective.”
TelegramRAT begins its attack as a malicious Microsoft Office document exploiting the November CVE-2017-11882 vulnerability, which exists in the font name of MTEF record. The document then uses the Bit.ly URL redirection service to conceal the TelegramRAT payload hosted on Dropbox.
Interestingly, the payload executable is relatively large in size.
“[This] makes it less suspicious, as a number of the security solution do not scan such large files,” Wanve explained.
When a system is infected with TelegramRAT, it connects to the bot's Telegram channel to receive commands and send responses to the attacker via an HTTPS secure communication. The attacker can then connect to the same channel and use simple instructions to manage the TelegramRAT clients on the infected host machines.
To help protect against the threat, organizations should enforce policy on usage of unsanctioned services as well as unsanctioned instances of sanctioned cloud services. Among other things, Wanve said that a few policies can be very helpful: For instance, all uploads from unmanaged and remote devices to sanctioned cloud applications should be scanned for malware, as should all downloads from unsanctioned cloud applications. Companies can also enforce quarantine/block actions on malware detection to reduce user impact and enforce DLP policies to control files and data en route to or from the corporate environment.
This particular payload has been reported to Dropbox and it has been taken down, Wanve said—although there’s no reason to think another payload won’t be stood up elsewhere.