GRAMDOOR and STARWHALE Abuse Telegram Messenger API

PROVINTELL_Gramdoor and Starwhale Abuse Telegram Messenger API

VTA-00408 – GRAMDOOR and STARWHALE Abuse Telegram Messenger API

Mandiant has identified 2 new targeted malware threats, GRAMDOOR and STARWHALE, which implement simple backdoor functionalities. Both are attributed to UNC (Uncategorized) groups.

GRAMDOOR is a backdoor written in Python that uses the Telegram Bot API to communicate over HTTP with the Telegram server. UNC groups gain access to the customer’s environment through a spear-phishing attack that compromises multiple systems. Phishing emails are crafted with job promotion to lure victims to click a URL to download a RAR archive file hosted at the cloud storage service OneHub. To establish foothold, UNC groups use common credential-dumping techniques using legitimate Windows utilities. This is followed by privilege escalation. UNC groups leverage on the open-source ‘WMIEXEC.PY’ attack framework to execute reg commands to export copies of the local SAM, SYSTEM, and SECURITY Windows registry hives. 

Mandiant also observes that UNC groups leverage on the publicly available offensive security tools to gain remote command execution, internal reconnaissance, network tunneling and lateral movement.  STARWHALE is used to maintain its persistence. STARWHALE is a WSF file backdoor that simply receives commands from a C2 server via HTTP and executes those commands via Windows command prompt.


Impact Analysis of Dridex Malware

Attack Surfaces:
Email, Mobile Application

Command and Control, Credential Access, Execution, Exfiltration, Impact, Lateral Movement, Persistence, Privilege Escalation

Masquerading, Native API, Access Token Manipulation, Encrypted Channel, Data from Cloud Storage Object, OS Credential Dumping, Remote System Discovery, Remote Services, System Owner/User Discovery

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Email Manipulation, Network Manipulation, Security Controls, Software Manipulation

SuperPRO’s Threat Countermeasures Procedures: 
1) Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname, if necessary
2) Ensure Common Attachment Types Filter is set to ‘On’ for Malware Filter Policy
3) Organization must conduct phishing campaigns to educate users about phishing trap
4) Users must be provided with proactive trainings to detect/mitigate any phishing attacks
5) IDS/IPS should be configured properly

Contributed by:  Jxm

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>