Telegram For Windows 7 Service Pack 1
Klacee Sawatzky
I want to launch a telegram bot in the form of a Windows service. The bot is hosted on its server with rdp and when the session is disconnected, the bot stops working. I don't want to disable the session timeout, because I wonder if it is possible to run the bot as a service at all.
I ran the command:sc createBot """Service binpath= "C:\Users *\AppData\Local\Programs\Python\Python38\python.exe C:\Users *\Desktop\tg_bot\bot.py " DisplayName= "BotService" start= auto"""The service was created successfully, I launch it and execute a couple of bot commands, but after a couple of commands, the bot stops working. Are there any other options for implementing this idea, if at all possible?
Mandiant assesses with moderate confidence that UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making. Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus.
Notably, on January 12, 2022, the U.S. government publicly stated it considers TEMP.Zagros as subordinate to the Iranian Ministry of Intelligence and Security (MOIS) and disclosed samples of malware families (POWGOOP and MORIAGENT) in use by the group since at least 2020.
In the second half of 2021, Mandiant identified an UNC3313 campaign using GRAMDOOR and STARWHALE to target Middle Eastern government and technology entities. TEMP.Zagros has historically targeted these regions and sectors throughout the Middle East and Central and South Asia, including government, defense, telecommunications, energy, and finance. Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus and the telecommunications sector in the Middle East.
The use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user behavior. Combined with the use of legitimate remote access software, publicly available tools such as LIGOLO and CrackMapExec, and the multi-layer encoding routine, Mandiant believes this reflects TEMP.Zagros' efforts to evade detection and security features. Meanwhile, it is unclear how the U.S. government's recent public attribution of "MuddyWater" to the Iranian Ministry of Intelligence and Security will affect the group's operations. It is plausible the group may re-tool and shift their tactics, techniques, and procedures prior to conducting additional operations.
The RAR archives contained a Windows Installer .msi file that installed ScreenConnect remote access software to establish a foothold. Figure 1 shows a Windows Installer transaction event recorded in the Windows Application logs for the execution of performance.msi.
As mentioned, UNC3313 moved rapidly to establish remote access through ScreenConnect to infiltrate systems within an hour of initial compromise. ScreenConnect provides the capability to issue single CLI commands to the client or to open a full terminal using Backstage Mode. Mandiant observed command execution using cmd.exe and powershell.exe by the parent process ScreenConnect.ClientService.exe.
When actively running, the ScreenConnect.ClientService.exe process performed DNS lookups for a ScreenConnect relay service at instance--relay.screenconnect.com. Mandiant observed the process ScreenConnect.WindowsClient.exe write additional attacker tools to the initially compromised hosts, indicating the files were copied through the active ScreenConnect session.
Mandiant observed UNC3313 use common credential-dumping techniques using legitimate Windows utilities. UNC3313 leveraged the open-source WMIEXEC.PY attack framework to execute reg commands to export copies of the local SAM, SYSTEM, and SECURITY Windows registry hives. WMIEXEC.PY enables simple command invocation on a remote system (with admin rights and DCOM ports accessible on target system) via WMI (Windows Management Instrumentation).
UNC3313 performed initial reconnaissance and account access testing with CRACKMAPEXEC using the commands shown in Figure 7 and Figure 8. The credential and host information collected by CRACKMAPEXEC were stored in the local database file cme.db.
Mandiant identified a new malware family named STARWHALE that was used by UNC3313. STARWHALE is a Windows Script File backdoor that simply receives commands from a command and control (C2) server via HTTP and executes those commands via Windows cmd.exe. On the infected system, STARWHALE was observed being executed with a command-line argument as shown in Figure 14.
The command line argument "humpback__whale " is used in the code to dynamically resolve functions at runtime using the VBScript function GetRef. Since STARWHALE does not contain any persistence mechanism, a service is created as shown in Figure 16.
STARWHALE communicates with its C2 server, which is hardcoded in the malware. Upon first execution, the malware gathers basic user and system information, such as local IP address, computer name, and username. It then encodes this information using a custom encoding scheme before sending the information to the C2 IP address as shown in Figure 17.
If the command fails, it sends the encoded string "SoRRy" to its C2. Notably, in earlier iterations of STARWHALE, Mandiant also observed it using the string "sory" [sic]. The threat actor corrected the spelling error after security researchers highlighted the string in a public forum. Mandiant has observed similar spelling errors in other campaigns by Iranian threat actors.
During the intrusion, Mandiant also observed the actors deploying a malware that shares a lot of similarities with STARWHALE in design but written in Golang. Mandiant is calling this code family STARWHALE.GO. It is downloaded on the system using the certuil.exe utility as shown in Figure 20.
STARWHALE.GO arrives as part of a Nullsoft Scriptable Install System (NSIS) installer, which installs it in a directory called OutlookM and creates a Run key in Windows registry to make it persistent on the system. Upon execution, it drops the Golang binary and executes it.
STARWHALE.GO also uses a custom data encoding algorithm to protect its network communication and critical strings within the binary. It sends the same information as STARWHALE, but the data sent and received are a JSON object. A sample HTTP POST request is shown in Figure 23.
Mandiant identified a third UNC3313 backdoor during the investigation that was compiled with Python 3.9 and packaged via PyInstaller, which would only execute on Windows 8 and higher. Mandiant has named this backdoor GRAMDOOR due to its ability to use the Telegram Bot API for communication. It sends and receives messages from an actor-created Telegram chat room. GRAMDOOR arrives on the system packaged as an NSIS installer, which establishes a persistence mechanism by setting the Windows Run registry key, as shown in Figure 24.
GRAMDOOR expects to be launched with one command-line parameter, which in this case was "Platypus." It uses this command-line parameter to piece together the function name, which is then called and acts as the entry point to the malware. GRAMDOOR implements only two commands: start and com. These commands are used to launch a cmd.exe process to which commands are piped. All network communication is via the Telegram server at api.telegram[.]org. This allows the actors to disguise their communication as regular Telegram traffic. This technique is not novel, and it is not the first time Iranian actors abused publicly available software to make their C2 traffic blend in.
All HTTP requests from the malware to the Telegram server contained the token string 2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY. The token strings are used to authenticate to the bot. Figure 26 shows a sample request.
Lastly, Mandiant observed UNC3313 download and execute a Windows Installer file for the eHorus remote access tool from the vendor website. UNC3313 executed the file ehorus_installer_windows-1.1.3-x64_en-US.msi, which created a service named EHORUSAGENT. The eHorus agent process ehorus_agent.exe communicates with domains hosted on ehorus[.]com.
eHorus is a legitimate remote access tool advertised commercially by Pandora FMS, which is based in Spain. eHorus has been recently reported by Symantec being abused by Iranian threat actors in a similar campaign against telecom organizations in Middle East and Asia.
Special thanks to Mike Hunoff, Nick Harbour, and Muhammad Umair for their assistance with reverse engineering the malware discussed in this blog post, and Adrien Bataille and Ervin James Ocampo for creating detections for malware families. Additionally, we would also like to thank Dan Andreiana, Alexander Pennino, Nick Richards, Jake Nicastro, Sarah Jones, and Geoff Ackerman for their help with technical review and providing valuable feedback.
In this article, you will learn about Telegram Messenger, why use Telegram Cloud in your own applications, TDLib Library, using OpenSSL for security and encryption, developing your own Telegram in Windows app development software, and much more.
Telegram Messenger is a popular cloud instant messaging application. This application offers multiple services including instant text messaging and video calls which are end to end encrypted. Telegram also allows for secure file sharing and many other powerful features which would be hard to do independently in your own code.
Telegram Messenger is famous for the level of security it offers for users. Furthermore, Telegram Messenger offers a free and open Telegram API that allows anyone to create their own messaging apps operating in the Telegram cloud. To ease Telegram API integration, a cross-platform library completely free is provided too. This library is known as TDLib library.
This library has also some dependency with OpenSSL. It also needs to use the Zlib compression library. This will mean we need to download those packages and include . or link the following third party binaries from them as you can see below:
c80f0f1006