On June 6, 2024, a threat actor named 'Ancryno' began selling a Telegram zero-day exploit on the Russian-speaking XSS hacking forum. Dubbed 'EvilVideo,' this vulnerability allowed attackers to send malicious Android APK payloads disguised as video files. This Threatfeed delves into the underlying nuances revolving around the intricacies of the EvilVideo exploit, its discovery, impact, and subsequent mitigation.

---

Discovery and Disclosure

Security researchers discovered the flaw after a Proof of Concept (PoC) demonstration was shared on a public Telegram channel. The exploit, targeting Telegram versions v10.14.4 and older, was confirmed to work by ESET. Researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26, 2024, and again on July 4, 2024.

Telegram responded promptly, stating they were investigating the report. On July 11, 2024, they released version 10.14.5, which patched the vulnerability. This patch ended a five-week period during which threat actors could have exploited the zero-day.

Snapshot of an Unground Forum's Post ESET

Exploit Mechanism

The EvilVideo exploit was crafted to work solely on Telegram for Android. It allowed attackers to create specially crafted APK files that appeared as embedded videos when sent to other users on Telegram.

Exploit Details

1. Payload Creation: The exploit uses the Telegram API to programmatically create a message that appears to show a 30-second video.
2. Media Auto-Download: On its default setting, the Telegram app automatically downloads media files. Users who have this setting enabled would receive the payload once they opened the conversation.
3. Manual Download: For users who have disabled auto-download, a single tap on the video preview would initiate the file download.
4. Execution: When users attempt to play the fake video, Telegram suggests using an external player, prompting the recipient to tap "Open" and execute the payload.
5. Installation: The victim must enable the installation of unknown apps from the device settings, allowing the malicious APK file to install on the device.

---

Impact Analysis

The EvilVideo exploit was significant but required multiple steps to execute, reducing the likelihood of a successful attack. Despite the threat actor's claim that the exploit was "one-click," the necessity for multiple user actions added friction to the process.

C2 Server and Malicious APKs

ESET identified a command and control server (C2) at 'infinityhackscharan.ddns[.]net' used by the payloads. Two malicious APK files using this C2 were found on VirusTotal, masquerading as Avast Antivirus and an 'xHamster Premium Mod.'

---

Technical Analysis

ESET's analysis revealed that the exploit was most likely crafted using the Telegram API. This allowed developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically. The malicious payload appeared as a 30-second video due to this API manipulation.

import telegram
Replace with your own token and chat ID
bot = telegram.Bot(token='YOUR_BOT_TOKEN')
chat_id = 'YOUR_CHAT_ID'
Craft the malicious payload
payload = open('malicious_payload.apk', 'rb')
bot.send_video(chat_id=chat_id, video=payload, supports_streaming=True, caption="Check out this cool video!")

This Python snippet demonstrates how the Telegram API can be used to send a video, which in this case, would be the malicious payload.

---

Mitigation and Recommendations

Telegram's fix in version 10.14.5 now displays the APK file correctly in the preview, preventing deception by appearing as video files. Users are advised to perform a filesystem scan using a mobile security suite if they received suspicious video files that requested an external app to play via Telegram.

File Locations

• Internal Storage: /storage/emulated/0/Telegram/Telegram Video/
• External Storage: /storage/<SD Card ID>/Telegram/Telegram Video/

---

Indicators of Compromise (IoCs)

Files

SHA-1	Filename	Detection	Description
F159886DCF9021F41EAA2B0641A758C4F0C4033D	Teating.apk	Android/Spy.SpyMax.T	EvilVideo payload

Network

IP	Domain	Hosting Provider	First Seen	Details
183.83.172[.]232	infinityhackscharan.ddns[.]net	Administrator Beam Cable System	2024-07-16	C&C server of EvilVideo

---

MITRE ATT&CK Techniques

Tactic	ID	Name	Description
Initial Access	T1664	Exploitation for Initial Access	The EvilVideo vulnerability can be abused by Android malware to achieve initial device access.
Execution	T1658	Exploitation for Client Execution	The EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file.