Furthermore, Tracing Their Geographic Coordinates #
Introducing Botgram, the epitome of innovation in the world of international diplomacy! Because who needs secure channels and established communication protocols when you can have a Windows app to send your messages across the Kremlin? Move over, traditional methods of discreet communication, because Botgram is here to revolutionize the way political intrigue and sensitive information are handled.
Marvel at the sophistication of Botgram, meticulously crafted using the pinnacle of technological advancement: pure Windows API. None of that fancy-schmancy modern programming nonsense – just good old Windows API that your grandparents might recognize. Who needs efficiency and modern design when you can revel in the nostalgic embrace of outdated software development?
Oh, as if mere chatting with our buddies wasn’t enough entertainment! We’ve taken it upon ourselves to become the ultimate surveillance overlords using the mystical powers of Thinkst Canary tokens . Why settle for casual conversation when you can become Sherlock Holmes on steroids, tracking our pals and their epic journey back home post a wild vodka weekend at the local dive?
I am not releasing the code or binary for Botgram because it contains vital information about the inner workings of the trojan. If I were to do so, it would likely lead to malware authors upgrading their codebase, rendering security tools ineffective, and thus jeopardizing many innocent users to infection. However, if you want the tool, you can direct message me on Twitter. If the request comes from a trusted party, I would be more inclined to share it. #
Technical Details #
The attribution of malware authors is a challenge that cybersecurity experts navigate with painstaking precision. Unmasking the individuals or groups behind malicious code involves a complex blend of digital forensics, behavioral analysis, and geopolitical awareness.
Yet, the shifting sands of cyberspace further complicate the landscape. Malware authors adeptly exploit anonymizing technologies, launch attacks from compromised systems, or even operate within jurisdictions that turn a blind eye to their activities. The very nature of the internet enables remote operations, allowing perpetrators to strike continents away from their physical location.
Malware authors adeptly cloak themselves within intricate networks, evading conventional detection methods and perpetually eluding the grasp of those seeking to trace their elusive digital footprints. Often times it requires way more technical mastery to track them via attribution , code similarity and threat intelligence . This process is tidious and often result in discrepancies . Using all these method is a first thought , but In this blog I am thiking little out of the box .
We can think of attack surface discovery in this case; essentially, this is not a defensive method. Uncovering the attacker itself is an offense.
In this realm of attack surface, we need a way to:
- Find areas in the binary code where data is uploaded to the C2 server.
- This data must be critical and must force the malware author to examine it.
An interesting code I observed while reversing the Tofsee botnet is where it registers an exception handler using SetUnhandledExceptionFilter(). By using the SetUnhandledExceptionFilter function, malware developers can provide their own custom exception handler function, which will be called when an unhandled exception occurs – essentially a crash. Let’s try to see how the data for the crash is collected.
A plethora of information regarding the crash is collected here. Information is segregated with a key-value pair. Reversing the above-mentioned code gives a clear understanding of each parameter and its subsequent meaning.
This packet is stored in Inmemory Config DB of tofsee and is defined in the memory as
This data is stored in localcfg config store with a name except_info
And while cross-referencing this name, if it happens to be used at one more location in the binary, perhaps in the place where the crash data is uploaded back to the botnet C2.
Explaining the custom Tofsee protocol would be quite lengthy for this blog; therefore, we’ll focus solely on the relevant information. The information request packet received from the C2 back to the infected host is referred to as the OP1_REQUEST. It’s identified by operation number 1.
OP1 is a request from the C2 to gather information either from the main loader or any plugin. This is determined by MainMod_opTypeMask or Plugin_opTypeMask.
struct InfoRequest_op4
{
int MainMod_opTypeMask;
int Plugin_opTypeMask;
int UK[3];
};
Looking at the binary, we immediately notice that MainMod_opTypeMask is compared against various binary masks. Each of these masks represents a request for information that the botnet initiates. The full list of MainMod_opTypeMask includes the following request types:
- 0x01 – plugin metadata
- 0x04 – Send circular Config
- 0x40 – Send Debug log
- 0x80 – Send ver=%d lid=%d.win=%X/%d sid=%s.rep=%s
- 0x100 – Send Exception info ( crash info )
- 0x400 – Send Binary file Info
-
0x100 - Send Exception info (crash info): This request type stands out distinctly. To reach this specific code branch, the 9th bit of
MainMod_opTypeMaskmust be set based on the request received from the C2 server.
So, if the 9th bit is set as 0b100000000, then we proceed to construct a packet. This packet is then encrypted using the Tofsee algorithm and subsequently sent back to the C2 server. The packet follows the structure outlined below, ensuring that the message is successfully transmitted:
Instead of sending a text message, we can include a link in the message. This link would be displayed in the web console of the bot owner. The bot owner might click on it – in my case, the bot owner actually did click on it. The service I used was CanaryTokens, which generates a unique link. If this link is visited, it sends a notification via email, including metadata about the person who clicked on the link, such as their IP address, location, user agent, etc.
Article Link: https://int0xcc.svbtle.com/how-to-chat-with-russian-hackers-using-telegram