CredRaptor: the Integral Part of TeleBot Attacks Removal Guide

We live in the days of hybrid warfare, and cyberattacks are now an integral part of constant attacks against one’s perceived enemy. After all, one can cripple their opponents, not only physically. CredRaptor is a good example of how a cyber tool can be used to disrupt corporate systems. CredRaptor is part of a big malicious campaign that targets the Ukrainian financial sector.

Security researchers call the group behind these attacks the TeleBots, and the origins of the attacks come from as far as December 2015. Some of the bigger profile attacks that are credited to this group include the breaches in the US state boards of elections in 2016, the hacking of the French election in 2017, and the cyberattack on the 2018 Windows Olympics.

Perhaps the most frustrating part of these attacks is that they still employ an ancient distribution vector that happens to work despite all the efforts to improve cybersecurity: spam emails. According to Anton Cherepanov from ESET, the malicious group sends out spam emails with attachments that look like Microsoft Excel documents. This Excel document comes with a malicious macro that has to be enabled. And you’re right: It has to be enabled by the victim. The moment the victim clicks the “Enable Content” button at the top of the document, the malicious macro is executed, and the infection process starts rolling.

A key element in this TeleBots attack is a backdoor written in the Python programming language. This allows the criminals to obfuscate the infection, making it harder to detect for system security tools (provided they are installed on the compromised system). This backdoor is there to communicate with the criminals and receive further commands on what the infection should do. Researchers say that it is really interesting how this backdoor exploits the Telegram Messenger for this communication. Telegram is a popular messaging app in the CIS region.

Since the malicious bot that initiates the communication between the affected system and the command and control center is based on HTTP, the communication itself looks like the regular communication on the Telegram network. Telegram has been informed about the abuse, and hopefully, the communication through the network has been shut down by now.

Now, where CredRaptor stand in all of this? CredRaptor is actually a password stealer. Once the target network has been compromised, TeleBots employs various tools like CredRaptor to steal network passwords from web browsers. Hence, if the attacked system has a lot of its passwords saved on Opera, Firefox, Internet Explorer, and Google Chrome, CredRaptor can easily steal those passwords and share them with its owners. This is a good example of why it is not a good idea to save passwords on browsers on corporate computers. It would be a better idea to employ password managers like Cyclonis to save sensitive passwords on a third-party tool that encrypts this data with strong encryption.

Thus, we can clearly tell that such malicious components like CredRaptor are often used in bigger malware campaigns. It is always important to determine what campaign we’re dealing with. For the most part, such campaigns tend to have clear targets, and malicious groups like TeleBots are bound to continue inventing new ways to infect their victims.

Corporations, businesses, and public institutions need to understand that every single employee has to be educated in the matters of cybersecurity. As mentioned, CredRaptor and the malicious backdoor it comes with usually spread through spam email campaigns. Those campaigns are not random; they have clear targets, so it is important that your employees learn that it is not a good idea to open all the received documents without double-checking the sender. A simple spam email can always be the start of devastating sabotage.

References:

• Cherepanov. A., December 13, 2016. The rise of TeleBots: Analyzing disruptive KillDisk attacks. WeLiveSecurity.
• Greenberg, A., November 15, 2019. Here’s the Evidence That Links Russia’s Most Brazen Cyberattacks. WIRED.