Android.Backdoor.Baohuo.1.origin

sha1:

• 4410f69099a037a25e5976df04a91cee7dbfac14 (org.thunderdog.challegram)

Description

A backdoor for Android-based devices. Threat actors embedded it into a copy of the original version of the Telegram X messenger. It executes the attackers’ commands and allows them to steal victims’ confidential data and gain full control over their Telegram accounts. Android.Backdoor.Baohuo.1.origin is distributed through malicious websites and has also been detected in some third-party Android app catalogs.

Operating routine

There are several Android.Backdoor.Baohuo.1.origin versions, which differ in how they are implanted into the Telegram X app. These are the main modification types:

• the backdoor is imbedded into the main executable DEX file of the messenger;
• the backdoor, in the form of a patch, is dynamically injected into the main executable DEX file using the LSPatch tool;
• the backdoor is located in the app’s resources directory as a separate DEX file and is loaded dynamically.

In all of the modifications, the call for the malicious code initialization method is located in the class ApplicationLoader, which lets Android.Backdoor.Baohuo.1.origin run as soon as the messenger launches. At the same time, the original app remains functional and appears harmless to the user.

Interaction with Telegram X

Android.Backdoor.Baohuo.1.origin can alter Telegram X’s functionality at the code level using the Xposed framework and mirrors of the messenger’s methods that the malicious actors have prepared. When the backdoor needs to perform an action that is not standard for the program (like concealing certain chats and authorized devices in its interface), it uses a framework that dynamically changes the functionality of the methods.

If the action does not require intervention in the app’s logic, it uses the mirrors alone.

An example of a mirror:

com.ucreator.tgjar.reflect.mirror.org.telegram.tgnet.TLRPC.TL_inputChannel

To call a required method, Android.Backdoor.Baohuo.1.origin forms its name using the following algorithm.

1. The mirror package name that comes after mirror is read (for the example listed earlier, the result will be org.telegram.tgnet);
2. The name of the mirrored class is read (for the example above the result will be TLRPC.TL_inputChannel);
3. The final name is returned using the mirror’s method getName() by adding the second string to the first one: org.telegram.tgnet.TLRPC.TL_inputChannel.

Next, using reflection, the object of this method is created (the method is called).

The controlling mechanism

Commands are sent to the backdoor in two ways:

• via the C2 server;
• via the Redis database.

Earlier Android.Backdoor.Baohuo.1.origin versions were controlled only via the C2 server.

The commands and responses to them are sent in JSON format.

Android.Backdoor.Baohuo.1.origin has a built-in configuration with various parameters, including the addresses for:

• the C2 server;
• the Redis database;
• the NPS server.

When launched, the backdoor receives an updated configuration from the current C2 server. It then uses this configuration to connect to the attackers’ Redis database. Upon successfully connecting to the database, the trojan receives the current C2 server and NPS server addresses.

HTTP and HTTPS protocols are used to communicate with the C2 server and the NPS server.

The NPS server

The NPS server is used to connect infected devices to the attackers’ internal network (intranet), which allows these devices to be used as a proxy for accessing Internet and redirect traffic. The network is based on the project https://github.com/ehang-io/nps, and a corresponding client side is added to the backdoor.

To launch the NPS client, Android.Backdoor.Baohuo.1.origin sends a request to sdk-nps[.]ips5[.]info to get a configuration with the parameters required to connect to the NPS server. At the time of the analysis, the backdoor did not connect to the server and only received a test configuration:

{
"msg": "\u64cd\u4f5c\u6210\u529f",
"authKey": "TestAuthKey",
"password": "123456",
"code": 0,
"port": "8090",
"ip": "172[.]10.10[.]10",
"user": "user"
}

The C2 server

The backdoor communicates with the C2 server (hpncallback[.]gold5play[.]com) via API calls. Through them, it sends the collected data to the malicious actors and informs them when commands have been executed successfully. The following API calls are used:

• /api/AppCallback/SMS — to upload incoming SMS to the C2 server;
• /api/AppCallback/Contacts — to upload user phonebook contacts to the C2 server;
• /api/Callback/EncryptionData — to upload the clipboard contents to the C2 server when the messenger is minimized and returned to its window (the method onResume of the app is hooked to track this event);
• /api/Callback/GetLoadParams — to obtain an URL from the C2 server in order to display ads and to obtain the server address for downloading the trojan’s update in the form of a DEX executable file;
• /api/Callback/GetSecretKey — to obtain encryption keys that are used when certain data is uploaded to the C2 server (for example, the clipboard contents);
• /api/Callback/TgCheckReportDataCallback — to request a group of commands for collecting information about installed apps, message history, and contacts from the device’s phonebook, and about devices logged into Telegram (this request is performed every 30 minutes);
• /api/Callback/TgCheckUpdateApp — to request an URL from the C2 server to download an update for Telegram X. When the update is installed, /api/Callback/TgInstallEventCallback is called to report on the task’s successful execution;
• /api/Callback/TgKeepAliveStrategyCallback — to request from the C2 server a configuration that is then saved as a JSON file. For example:

  
        {"switch1":false,"switch2":false,"switch3":true,"switch4":true,"switch5":false,"intervalTime":3 
        0}
        

  The trojan only uses the intervalTime variable, which determines how much time must pass before the configuration is requested again;

• /api/Callback/TgRedisStatusChange — to request information about the Redis database;
• /api/Callback/TgRegisterPropertyCallback — to upload device information to the C2 server (executed whenever the messenger sends network packets);
• /api/Xcallback/GetRobots — to obtain a list of bots that are then added to the Telegram contacts list;
• /api/callback/TgHeartCallback — it is called every 3 minutes to upload the following data to the C2 server: the current app’s permissions, the device’s state (whether its screen is on or off, whether the app is active), and the mobile phone number with the name and password for the Telegram account;
• /api/callback/TgGetTask — it is called every minute to request a command in the same format as the commands from Redis.

Control via Redis

To receive commands via Redis, Android.Backdoor.Baohuo.1.origin connects to the attackers’ corresponding server (159[.]138.237[.]10:33619), where it registers its own sub-channel linked to the infected device. Malicious actors connect to this sub-channel and post tasks in it, which are then executed by the backdoor. The following commands are supported:

• /tg/hideChats/setBlackList and /tg/hideChats/getBlackList — create the blacklist for chats that will not be displayed to the user in the Telegram X interface;
• /tg/hideDevice/setDeviceBlackList and /tg/hideDevice/getDeviceBlackList — conceal specified devices from the user in the list of authorized devices for their account;
• /tg/serviceNotifications/startBlock and /tg/serviceNotifications/queryBlock — block notifications from the blacklisted chats from the list setBlackList for a specified time;
• /tg/dialog/showUpdateApp — display a window with information about the Telegram X update (when users click it, they are redirected to a targeted website);
• /tg/query/allPackages — upload information about all installed programs to the C2 server;
• /tg/terminated/session — terminate the user’s current authorized Telegram session on the infected device;
• /tg/dialog/showInstallApp — display a window with information about the Telegram X app update, where the user is asked to install an APK file (if the file is missing, the trojan downloads it first);
• /tg/hidePremium/setFlag and /tg/hidePremium/getFlag — to remove the Telegram Premium icon in the app’s interface for the current user;
• /tg/db/queryContactsByUsers — upload to the C2 server information from the Telegram X database that stores user contacts;
• /tg/db/queryDialogsByChats — automatically upload to the C2 server information from the Telegram X database that stores message history;
• /tg/db/messagesStorageRawQuery — in accordance with the SQL queries specified in the command, upload to the C2 server information from the Telegram X database that stores message history;
• /tg/channel/join — subscribe the user to a specified Telegram channel;
• /tg/channel/leaveChannel — leave a specified Telegram channel;
• /tg/channel/addByLink — join a specified Telegram channel on behalf of the user, using the provided URL;
• /tg/settings/getDevices — obtain the list of devices authorized in Telegram;
• /tg/captcha/token — request a user authentication token and upload it to the C2 server.

An example of the command:

{"cmd":20000,"path":"/tg/captcha/token","serial_no":"5228e35ac6834e57856a230e507b4b94","callback":"hxxps[:]//hpncallback[.]gold5play[.]com/api/callback/TgCommandCallback","param":{"key_id":"6LflQ8EqAAAAAE3JaczP-gBVVObsFsSe2U7yZJ6O","action":"signup","currentAccount":0,"resultType":0}

If the value of the cmd variable differs from 20000, the command will not be executed.

The value of the serial_no variable represents the command’s serial number that is saved before its execution. If a command with such a number has been received before, the flag duplicate is set, and the corresponding information is uploaded to the C2 server via the API call /api/callback/TgReceptionCommandCallback, together with information about the device. Thus, this variable is used to report that the backdoor has successfully received the task.

The value of the variable path is the command name. Each command is linked to a certain class; depending on this name, the backdoor uses the required class.

The value of the variable param is a JSON object with the parameters for an object of the required class.

The value of the variable callback is the server address to which the packet reporting on the command’s successful execution will be sent.

MITRE matrix

Indicators of compromise
News about the trojan