Advisory ID: NCC-CSIRT-1811-056
Summary: Ukrainian cyber-experts have discovered a new attack that compromises victims’ VPN(Virtual Private Network) accounts to access and encrypt networked resources. The attack uses Vidar Malware(Vidar Stealer) to steal Telegram session data, which in the absence of configured two-factor authentication and a passcode, allows unauthorized access to the victim's telegram account and corporate account/network.
Vulnerable Platform(s): IOS, Android, Linux, Mac and Windows Operating Systems
Threat Type: Malware
Description: The Ukrainian CERT alleged that a Somnia Ransomware was created to be used on Telegram that tricks users to download an installer that mimics 'Advanced IP Scanner' software which actually contains Vidar Malware. The installer infects the system with the Vidar stealer, which steals the victim's Telegram session data to take control of their account. The threat actors abuse the victim's Telegram account in some unspecified manner to steal VPN connection data (authentication and certificates).If the VPN account isn't protected by two-factor authentication passcode, the hackers use it to gain unauthorized access to the victim's employer's corporate network. Once inside, the intruders conduct reconnaissance work using tools like Netscan, Rclone, Anydesk, and Ngrok, to perform various surveillance and remote access activities then deploy a Cobalt Strike beacon, exfiltrating data using the Rclone program.
Consquences: Unauthorized access to users Telegram account and Corporate account to exfiltrate data.
Impact/Probability: HIGH/HIGH
Solution
- Use a two-factor authentication passcode to protect Telegram Account.
- Do not download unknown Advanced IP Scanner Software.