ChromeLoader, Telegram, RustDesk, and Tailscale

ChromeLoader

ChromeLoader is a Google Chrome browser hijacker actively deployed since at least 2022 (1). The malware modifies the browser settings and redirects traffic.
ChromeLoader has previously gained initial access via:

• Social engineering tactics, such as phishing emails with malicious attachments;
• QR codes posted on social media sites; and
• Malicious advertisements.

ChromeLoader has been observed gaining persistence via scheduled tasks. ChromeLoader is able to collect browser data, which could include passwords stored in the browser password vaults.

PDFFlex

Due to the number of incidents observed this week that were detected as ChromeLoader, Blackpoint’s APG conducted a deeper investigation into the file named “update.js”. This file relates to a software named PDFFlex.exe, a signed desktop application used as a wrapper for www.sodapdf[.]com. The software was packaged in a Microsoft Installer (MSI) file with varying names that appear related to legitimate PDF editing software. The installer and PDFFlex.exe were both signed with a certificate owned by Eclipse Media Inc, however, open-source research provided no evidence of a company creating this software. Indicating it is likely that the certificate was stolen. When run, the victim was presented with a GUI application using a web view for Soda PDF, a legitimate PDF editing application for both web and desktop. It gave the appearance of a native desktop application, when it was really a wrapper around the above mentioned domain. The installer created registry keys and scheduled tasks with the naming convention “PDFFlexUpdateOne-. The installer (2), main executable (3), and JavaScript file (4) were uploaded to VirusTotal by unknown parties; all three have very few detections.

The APG predicts that threat actors will likely continue to use ChromeLoader over the next 12 months.

Blackpoint’s APG assesses that threat actors will likely continue to deploy ChromeLoader malware in an attempt to collect browser data, including passwords and browsing habits.
This assessment is based on internal Blackpoint observed attacks and external reporting detailing ChromeLoader incidents.

In February 2023, AhnLab Security Emergency response Center (ASEC) released a report detailing a ChromeLoader incident. The malware was delivered via virtual hard disk (VHD) files that appeared to be related to hacks or cracks for Nintendo and Steam games (5).

In June 2023, HP researchers released a report detailing a ChromeLoader campaign that tricked users into installing a malicious Chrome extension “Shampoo”. The extension could redirect victim’s search queries to malicious websites and used scheduled tasks to re-launch itself every 50 minutes (6).

Blackpoint’s APG recommends the following actions to help mitigate ChromeLoader malware infections and persistence actions. (Note: Many of the mitigations for ChromeLoader are the same as mitigations for other malware variants.)

• Monitor system activity through heuristics-based triggers and alerts, which can help identify anomalous scheduled tasks and user activity.
• Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities.
• Implement browser extension allowlists, which can prevent the installation of unauthorized or malicious browser extensions.

Telegram is a cloud-based messaging application that can be used across multiple devices for encrypted instant messaging (7). Telegram allows users to join channels that are specific to a product or interest and their messages remain private to the channel. This makes Telegram an attractive place for hackers, threat groups, and ransomware operators to sell specific services, leak stolen data, and offer software.

The APG predicts that threat actors will likely continue to use Telegram over the next 12 months.

We base this assessment on…As with many other legitimate tools, threat actors have flocked to Telegram for malicious activities over the previous 12 months. Telegram can be used by threat groups to leak data, an example of this is the The Five Families Telegram channel (8). The Five Families is a Telegram channel and cooperative threat group comprised of five distinct threat groups:

1. Stormous ransomware
2. ThreatSec
3. GhostSec
4. Blackforums
5. SiegedSec

These groups also operate separate Telegram channels. Stormous is known for leaking victim data via their Telegram channel rather than the traditional method of a TOR data leak site. Telegram can also be used by threat groups for command-and-control (C2) purposes, an example is the Zaraza bot malware (9). Zaraza steal login information and uses Telegram as its C2 and can use the stolen data to carry out additional malicious activities.

Additionally, the ability to create and join specific Telegram channels allows threat groups to create channels that offer specific services, from hacking services to malware-as-a-service (MaaS) or ransomware-as-a-service (RaaS). These channels, unlike most cybercriminal forums, allow threat actors to focus on offering or purchasing the specific tool or service. The ease of access to these channels lower the entry gate to hacking for lower-skill level threat groups and increase collaboration between threat groups and operations (10).

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate tools, including the Telegram messenger app.

• Implement application controls – application controls should prevent both installation and execution of unauthorized applications, such as Telegram.
• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious installs and actions conducted by threat groups using unauthorized but legitimate tools and software.
• Monitor system activity through heuristics-based triggers and alerts, which can aid in detecting anomalous software installs and activities associated with malicious actors, such as scheduled tasks and unconventional executables.

RustDesk

RustDesk is an open source remote access tool that can enable users to access remote devices and is available for operating systems such as Windows, macOS, iOS, Android, and Linux (11). Remote access software is an attractive target for threat actors for both initial access and persistence; threat actors often target vulnerable instances and use the software to aid in their attacks.

Tailscale

Tailscale is a VPN service that makes devices and applications accessible to users from anywhere. Tailscale enabled encrypted point-to-point connections using the WireGuard protocol (12). VPN software is often an attractive tool for threat actors as they can be used to access sensitive environments, discover connected assets, and blend in with legitimate network traffic.

The APG predicts that threat actors will very likely continue to use RustDesk and Tailscale over the next 12 months.

In August 2023, security researchers with Phylum reported that North Korea-linked threat actors were observed using npm package registry to lure victims into downloading malicious modules. The threat actors used a domain masquerading as the legitimate RustDesk software (13).

In September 2023, security researchers with Logpoint reported that the Akira ransomware operation had been observed using the RustDesk software to gain persistent remote access to victim environments (14). The observation of both nation state and ransomware operators using the tool indicates that there are likely multiple groups that opt for RustDesk during cyberattacks, which will likely continue to be observed over the next 12 months.

In November 2023, the U.S. CISA released an advisory warning of the Scattered Spider ransomware affiliate group, most known for their work with the Alphv (AKA BlackCat) ransomware operation. The advisory warned that Scattered Spider has used legitimate tool to maintain access to victim environments, including Tailscale (15). Threat actors often use legitimate tools during cyberattacks to remain undetected and blend in with what appears to be legitimate network traffic.

Blackpoint’s APG recommends the following actions to help mitigate the abuse of legitimate remote access and VPN software for malicious activities.

• Monitor system activity through heuristics-based triggers and alerts, rather than depending solely on indicators of compromise (IoCs) to detect unusual access patterns that could be indicative of malicious behavior by threat actors. User accounts randomly access hosts, outside of normal business or from abnormal IP address location, can be detected and access can be closed prior to significant malicious activities occur.
• Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location. Dedicated and approved software can aid in detecting software, such as RustDesk, that is installed from a third-party location outside of a dedicated center.
• Implement application controls – application controls should prevent both installation and execution of portable versions of unauthorized RMM and VPN software.
• Use network segmentation, to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments. This can help prevent threat actors from using RMM and VPN tools to move laterally and elevate privileges within the network.

1. Check Point’s Blog: “August 2023’s Most Wanted Malware: New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI” by Check Point Team on 2023-09-11
2. VirusTotal’s Repository: “9c5d756045fd479a742b81241ccf439d02fc668581a3002913811a341278de43” by VirusTotal on 2024-05-22
3. VirusTotal’s Repository: “d4c3bbf71e438274848dc1502755b9ec0ce8ee7dfbcd584513c86a8657e9e6cd” by VirusTotal on 2024-05-22
4. VirusTotal’s Repository: “501571c21ef631b6bb77b0866bde07012fe46ffe58235695c7e9df6302084c6a” by VirusTotal on 2024-05-21
5. ASEC’s Blog: “ChromeLoader Disguised as Illegal Game Programs Being Distributed” by gygy0101 on 2023-02-23
6. HP’s Blog: “ChromeLoader malware campaign punishes pirating users, HP warns” by HP on 2023-06-14
7. Telegram’s FAQ: “What is Telegram? What do I do here?” by Telegram on N/A
8. Cyberint’s Blog: “New Cyber Alliance: The Five Families Telegram Channel” by Research Team on 2023-09-12
9. SOCRadar’s Blog: “Zaraza Bot: New Malware Uses Telegram for Command & Control” by SOCRadar on 2023-04-18
10. Flare’s Blog: “Telegram Hacking Channels: An Emerging Risk” by Flare on 2023-06-06
11. RustDesk’s website: “About Us” by RustDesk on N/A
12. Tailscale’s Blog: “What is Tailscale?” by Tailscale on N/A
13. Phylum’s Blog: “Sophisticated, Highly-Targeted Attacks Continue to Plague npm’ by Phylum Research Team on 2023-08-12
14. Logpoint’s Whitepaper: “Deciphering Akira’s Arsenal: Tactics for Uncovering and Responding.” by Swachchhanda Shrawan Poudel on 2023-09