
The first cryptor to exploit Telegram - speps
https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/
======
tetrep
This seems like a very poorly designed piece of malware, not only does it rely
upon running a bot with a 3rd party who would probably gladly shut it down,
all the bot's details are hardcoded in the malware, so the whack-a-mole
enforcement problem doesn't even need to be considered.

But maybe that's just part of the bait? If you're trying to test the "time to
ban" of various communications platforms, you would probably write malware
like this.

------
gressquel
3mb for such a software sounds amateurish. Back in old days when we used to
make trojans in delphi the focus was much on file size. Pushing the limits. I
remember writing the application as a console app greatly reduced the size to
few kbs.

I suspect this Telegram trojan is made as .NET GUI app that hides itself

Also ‘D’ is right about being dependent on third party for communication, its
never a good idea. If you want some sophisticated setup in malware look up
GameOver Zeus / P2P-Zeus.

That is what I call neat software made by a advanced developer.

------
_maya_
The exploit described in this article just describes using Telegram as a
method for a trojan to emit signals using the Telegram API. The attack is
amateur and has much room for improvement. Also the name of the article is
terribly misleading.

------
iamnothere
Terrible title; as others have pointed out, this makes it sound like the
Telegram app itself was exploited. Can we get a better title?

------
j_s
s/exploit/use/

~~~
surye
Yea, this is a very misleading use of the word exploit. Especially given the
wariness of Telegram usually expressed on HN.

~~~
antocv
Has there been any Russian or say German software which is popular with HN
crowd?

Unless its made by Y Combinator companies or in Sillicon Valley, it doesnt
exist... see hyper.sh

~~~
8_hours_ago
Nginx is one. It's now headquartered in SF, but it was founded in Russia and
still has an office there.

------
dom0
This is an expected outcome.

Previously many cryptoviruses had grave security problems, thereby reducing
business value (because customers could get their files back without paying
the storage fee). The move to established and known secure cryptographic
protocols was therefore only a matter of time, since it represents a tangible
increase in business value.

~~~
CiPHPerCoder
> The move to established and known secure cryptographic protocols was
> therefore only a matter of time, since it represents a tangible increase in
> business value.

What does that have to do with Telegram?

[https://news.ycombinator.com/item?id=10713064](https://news.ycombinator.com/item?id=10713064)

~~~
ryanlol
This malware doesn't even take advantage of the encrypted messaging
functionality... It could just as well use twilio.

------
J-Kuhn
Stupid move.

Messages send to telegram with the bot-api can be forwarded to anyone who has
the chat_id and the bot token with the forwardMessage method. And the message
id is an increasing number starting with 1.

So if they did not already disable (or got telegram to disable) the bot, they
can now extract the infection id with the seed key.

tl;dr: All the information required to restore the data is accessible if you
have the bot_token and chat_id.

------
banku_brougham
I was not able to tell from the article if any telegram user is vulnerable.
Can they encrypt my hard drive by sending a message to my telegram account
(using desktop client)? Does it require some interaction or authentication by
user to get access?

I would love to learn more, but I'm not a specialist in this field.

~~~
_maya_
This article does not describe a vulnerability in Telegram. It only describes
how a trojan could use the API to send messages( Which is what the API is
designed to do)

~~~
banku_brougham
OK, so a package can be delivered via telegram just as in email for instance.
The attacker still has to gain execution access via social engineering or some
form of priviledge escalation to actually encrypt a victim's drive.

