New backdoor of the TeleBots cyber group: the first proof of the link between Industroyer and NotPetya

    A study of the new backdoor of the TeleBots cyber group behind the NotPetya epidemic revealed a significant similarity between the code and the main backdoor of Industroyer, which confirms the interconnection previously rumored.

    Among the largest cyber incidents of recent years are attacks on Ukrainian energy enterprises and the epidemic of the NotPetya coder . In the post we will look at the relationship between these events.

    The first in the history of massive power outages caused by cyber attacks occurred in December 2015, its cause is the BlackEnergy malware complex . ESET specialists monitored the activity of the ART group using BlackEnergy, both before and after this event. After the blackout of 2015, the group seems to have turned to active work with BlackEnergy and evolved into what we now call TeleBots .

    Here it should be noted that, speaking of the ART group, we mean the general technical indicators: code similarity, common network (C & C) infrastructure, chains of execution of malicious programs, etc. As a rule, we do not directly participate in the investigation and identification of developers or operators. The term “ART group” is not clearly defined and is often used to characterize malware parameters. For these reasons, we refrain from assumptions about the source of attacks, national or state identity of the attackers.

    In any case, we found a connection between the attacks of BlackEnergy (aimed at the Ukrainian energy companies, as well as other industries and high-ranking facilities) and the campaigns of the TeleBots group (mainly against the Ukrainian financial sector).

    In June 2017, companies around the world suffered from Diskcoder.C wiper (better known as Petya / NotPetya) - the massive nature of the infection seems to have been a side effect. Studying the incident, we found out that companies infected with the backdoor of the TeleBots group became the “zero patient” of this epidemic as a result of the compromise of the popular MEDoc accounting software in Ukrainian companies.

    The question is, what does Industroyer have to do with this story .- a complex malicious complex that caused the blackout in Kiev in December 2016. Immediately after the publication of the ESET report, some security companies and the media suggested that Industroyer also developed the BlackEnergy / TeleBots group (sometimes also called Sandworm). However, evidence to date has not been provided.

    In April 2018, we recorded a new activity of the TeleBots group - an attempt to deploy a new Win32 / Exaramel backdoor . Our analysis showed that this backdoor is an improved version of the main backdoor of Industroyer - which was the first proof.

    Win32 / Exaramel backdoor analysis

    The Win32 / Exaramel backdoor is initially installed using a dropper. According to the dropper metadata, the backdoor is compiled into Microsoft Visual Studio just before being deployed to a particular compromised computer.

    Figure 1. Win32 / Exaramel backdoor PE dropper timestamp

    After execution, the dropper places the Win32 / Exaramel binary file in the Windows system directory and starts the Windows service with the name wsmproav“Windows Check AV”. The file name and description of the Windows service is hard coded in the dropper.

    Figure 2. Windows service registry settings created by the Win32 / Exaramel backdoor

    In addition, the dropper writes the backdoor configuration to the Windows registry in XML format.

    Figure 3. Win32 / Exaramel XML configuration

    The configuration consists of several blocks:

    - Interval - time in milliseconds, used for the Sleep function
    - Servers - list of command servers (C & C)
    - Check - web site used to determine whether the host has Internet access
    - Proxy - proxy server in the host's network
    - Storage - the path used to store files for exfiltration

    As can be seen from the first configuration line, attackers group targets based on the antivirus products used. A similar approach is used in the Industroyer complex - in particular, some Industroyer backdoors were also disguised as antivirus related service (deployed under the name avtask.exe) and used the same approach to group formation.

    Another interesting fact is that the backdoor uses C & C servers whose domain names mimic domains belonging to ESET. In addition to esetsmart[.]orgthe above configuration, we found a similar domain um10eset[.]netthat was used by the recently discovered Linux version of the TeleBots malware. It is important to note that these monitored offensive servers are not related to ESET's legitimate network infrastructure.. At present, we have not found that Exaramel uses domains that mimic the infrastructure of other information security companies.

    After launching, the backdoor establishes a connection with the C & C server and receives commands for execution on the system. Below is a list of available commands:

    - Starting the process
    - Starting the process from a specific Windows user
    - Writing data to a file at a specified path
    - Copying a file to the storage subdirectory (Load file)
    - Execute a shell command
    - Execute a shell command from a specific Windows user
    - Run VBS code using the MSScriptControl.ScriptControl.1

    command loop code and the implementation of the first six commands in Win32 / Exaramel is very similar to the backdoor from the Industroyer software.

    Figure 4. Comparison of decompiled Win32 / Exaramel backdoors (left) and Win32 / Industroyer (right)

    Both families of malware use a report file to store the output of executed shell commands and running processes. In the case of the Win32 / Industroyer backdoor, the report file is stored in a temporary folder with a random name; in Win32 / Exaramel, the report file is called report.txt, and its path to the repository is specified in the backdoor configuration file.

    To redirect standard output (stdout) and standard error (stderr) to the report file, both backdoors set the parameters hStdOutputand hStdErrorthe file descriptor of the report. This is another similarity between these malware families.

    Figure 5. Comparing the Win32 / Exaramel and Win32 / Industroyer decompiled code, respectively.

    If the malware operators want to exfiltrate the files from the victim's computer, it is enough to copy these files to the storage path subdirectory dataspecified in the configuration. Before establishing a new connection with the C & C server, the backdoor will automatically compress and encrypt these files before sending them.

    The main difference between the backdoor Industroyer and the new backdoor TeleBots is that the latter uses the XML format for communication and configuration instead of the custom binary format.

    Malicious password theft tools.

    Together with Exaramel, the TeleBots group uses some of the old tools, including a password theft tool (internal name is CredRaptor or PAI) and slightly modified Mimikatz.

    The improved CredRaptor password theft tool, used only by this group since 2016, has been improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and a number of FTP clients. Below is a list of supported applications:

    - BitKinex FTP
    - BulletProof FTP Client
    - Classic FTP
    - CoffeeCup
    - Core FTP
    - Cryer WebSitePublisher
    - CuteFTP
    - FAR Manager
    - FileZilla
    - FlashFXP
    - Frigate3
    - FTP Commander
    - FTP Explorer
    - FTP Navigator
    - Google Chrome
    - Internet Explorer 7 - 11
    - Mozilla Firefox
    - Opera
    - Outlook 2010, 2013, 2016
    - SmartFTP
    - SoftX FTP Client
    - Total Commander
    - TurboFTP
    - Windows Vault
    - WinSCP
    - WS_FTP Client

    Refinements allow attackers to collect data from webmaster accounts for websites and from servers in the internal infrastructure. Having access to such servers, you can install additional backdoors. Quite often, these servers have an operating system different from Windows, so attackers have to adapt backdoors.

    During incident response activities, we discovered the TeleBots Linux backdoor — Linux / Exaramel.A .

    Linux / Exaramel backdoor analysis

    The backdoor is written in the Go programming language and compiled as a 64-bit ELF binary file. Attackers can deploy the backdoor in the selected directory under any name.

    If the backdoor is executed by attacking with the string 'none' as a command line argument, it tries to use persistence mechanisms to automatically start after a reboot. If the backdoor is not running as root, it uses the file crontab. However, if it is running as root, it supports various Linux systems init. It determines which initsystem is currently used by executing the command:

    strings /sbin/init | awk 'match($0, /(upstart|systemd|sysvinit)/){ print substr($0, RSTART, RLENGTH);exit; }'

    Depending on the result, the backdoor uses the following hard-coded locations to ensure persistence (hereinafter, Init system and its location):

    sysvinit- /etc/init.d/syslogd
    upstart - /etc/init/syslogd.conf
    systemd - /etc/systemd/system/syslogd.service

    During startup, the backdoor tries to open a configuration file that is stored in the same directory as the backdoor under the name config.json. If the configuration file does not exist, a new file is created. The configuration is encrypted using the key s0m3t3rr0r and the RC4 algorithm.

    Figure 6. Decrypted Linux backdoor JSON configuration / Exaramel The

    backdoor connects to a hard-coded C & C (default is 176.31.225 [.] 204 in the pattern we saw) or to the C & C server specified in the configuration file in value Hosts. Communications are carried out via HTTPS. The backdoor supports the following commands:

    App.Update- update to the new version of
    App.Delete - self-
    deletion from the App.SetProxy system - set proxy server settings in the
    App.SetServer configuration - update the C & C server in the
    App.SetTimeout configuration - set the timeout value (intervals between connections to the C & C server)
    IO .WriteFile - download file from remote server
    IO.ReadFile - upload file from local disk to C & C server
    OS.ShellExecute - execute shell command


    The discovery of Exaramel shows that the TeleBots group remains active in 2018, and the attackers continue to improve tactics and tools.

    The significant similarity between the Win32 / Exaramel code and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer with the TeleBots group and, therefore, with NotPetya and BlackEnergy cyber campaigns. Establishing a connection between the sources of cyber attacks, we should take into account the possibility of error or deliberate deception, but in this case we consider this unlikely.

    It is worth noting that Win32 and Linux versions of Exaramel backdoor were found in an organization that is not relevant to the industry. ESET specialists reported the finding to the investigative authorities of Ukraine, due to which the attack was promptly localized and prevented.

    ESET continues to monitor the activity of this cyber group.

    Compromise Indicators (IoCs)

    Detection by ESET products

    Win32/Exaramel trojan
    Win32/Agent.TCD trojan
    Linux/Agent.EJ trojan
    Linux/Exaramel.A trojan
    Win32/PSW.Agent.OEP trojan
    Win32/RiskWare.Mimikatz.Z application
    Win64/Riskware.Mimikatz.AI application

    Hashi SHA-1

    Backdoor Win32 / Exaramel cybergroup TeleBots A tool to steal passwords Mimikatz Linux / Exaramel




    C & C Servers

    um10eset[.]net (IP:
    esetsmart[.]org (IP:

    Also popular now: