Home Malware Programs Malware TeleBots

TeleBots

Posted: October 9, 2019

TeleBots is a threat actor that targets Ukrainian organizations preferentially, including the energy and financial sectors. However, its attacks also may compromise users elsewhere inadvertently, such as by traveling over insufficiently-secured networks. Since most of TeleBots's tools are high-level threats, users should leave the disinfection of TeleBots Trojans to their anti-malware products before resecuring their systems.

The Bots that Started in Darkness and Got Worse from There

As far as threat actors go, TeleBots is one of the more sensationalist of them, which pairs with its niche geographical focus unusually. Although many of their campaigns target entities in Ukraine, others, possibly inadvertently, spread throughout the rest of the world. Their attacks are some of the most serious concerning potential outcomes that malware experts have ever seen, including not just theft or extortion but also sabotage of essential national infrastructure.

TeleBots is a suspected evolution of the prior BlackEnergy group and its centerpiece threat: a backdoor Trojan, also referred to as BlackEnergy, which took down a Ukrainian electrical grid. Some of its features include collecting data, such as by keylogging, wiping the contents of disks, offering RDP features and traveling throughout networks. Another noteworthy victimized entity over the years is the Ukrainian financial sector. Other tools with connections to TeleBots, such as the Examarel backdoor Trojan, also are targeting other organizations besides infrastructure-based companies.

While intelligence-collecting operations, often, take a 'below the radar' approach, TeleBots sets itself up with more noisy strategies. Instead of remaining undetectable for as long as possible, they employ file-locker Trojans or wiping ones for destroying any digital evidence, disrupting the victims' activities and leaving a false bread crumb trail. One Trojan with this purpose, the KillDisk Ransomware, displays either disruptive messages (referencing the Mr. Robot hacking-themed television show) or ransom notes with unrealistic ransoms. These details help show that the file-locking and ransoming are covers, rather than genuine attempts at profiteering.

Keeping Electricity and Data Right Where They Belong

TeleBots may make use of traditional infection strategies for enterprise-level campaigns, such as phishing e-mails. However, malware experts don't find these methods common to this threat group. In many cases, TeleBots's infection strategies are sophisticated impressively and may involve compromising supply chains for 'normal' software and inserting installers for backdoor Trojans. MeDoc, a financial product in prominent use throughout Ukraine, is one example of such an attack.

Although the average user can do little to nothing about a supply-side compromising of update delivery mechanisms, they can limit the spread of TeleBots Trojans. Maintaining best practices for network security, especially while working with Ukraine-based systems, is essential for preemptive defense against a possible TeleBots attack. As a rule, malware experts are also recommending backups as the best defense against the data-encrypting and destroying Trojans that TeleBots deploys semi-regularly.

Always keep your anti-malware services fully-updated for identifying the latest threats, including new versions of TeleBots's old software. Most symptoms of TeleBots Trojans appear too late for undoing the majority of the damage that they inflict, and users have next to no chance of removing Sandworm, CrashOverride or similar threats manually.

Custom versions of password collectors, Trojans that overwrite files with random junk information, and double-algorithm, secure encryptors are some examples of TeleBots's classic weapons. Until their funding or motivation dries up, users around the world – but in Ukraine, above all else – will need to keep their networks well-guarded.

Loading...