Main points
- Hackers use fake Telegram websites to spread viruses that bypass standard protection systems thanks to a sophisticated infection scheme.
- For protection, it is recommended to download programs only from official sources and update antivirus programs regularly.
Hackers use fake Telegram site to infect computers / Collage 24 Channel/Depositphotos/Unsplash
Cybercriminals have developed a complex multi-stage scheme based on user inattention and the use of legitimate Windows operating system tools. Using a skillfully copied web resource, attackers distribute malicious software that is capable of bypassing standard protection systems.
This attack uses social engineering techniques and a multi-level code execution structure. Simple care may be enough to avoid it, writes Cyber Press.
How does the scheme work?
Cybersecurity researchers have uncovered a large-scale campaign that uses a fake Telegram download site to spread viruses. The attackers use typosquatting tactics – registering domain names that are very similar to the official ones, for example, telegrarn[.]com, telegrgam[.]com, telefgram[.]com or tejlegram[.]com. They copy the design of the official Telegram portal, which misleads users and forces them to download a malicious installer.
The file offered for download is called tsetup-x64.6.exe, which fully complies with the standard naming logic of official messenger updates.
What does a virus do?
Once this file is run, a complex infection chain begins, the goal of which is to bypass detection systems and establish long-term access to the victim's computer.
At the first stage, the program checks running processes via the command line, looking for specific applications, in particular the 0tray.exe process, which may indicate the operation of protection tools or the presence of other infections in the system.
One of the most dangerous steps is to try to neutralize Windows’ built-in protection. The malicious code executes a PowerShell command that adds all system drives to the Windows Defender exclusion list. This effectively stops antivirus scanning on those drives, allowing the virus to operate completely unnoticed by standard security tools.
The execution technology of the main malicious component is also highly sophisticated. Instead of directly launching suspicious files, the hackers use the legitimate system utility rundll32.exe to launch the AutoRecoverDat.dll library.
The library itself does not contain any explicit virus code. It reads data from an XML file called GPUCache.xml, where encrypted code is hidden. During operation, the library extracts this data and reconstructs a full-fledged malicious object directly in the computer's RAM.
This approach, known as fileless execution, makes it much more difficult for antiviruses to work because no explicit dangerous files are created on the hard drive.
Once activated in memory, the virus establishes a connection to a control server at IP address 27.50.59.77 via port 18852, GBHackers writes. This allows attackers to remotely send commands to the infected device, download updated components, and maintain constant control over the system.
Network traffic analysis showed that the program regularly receives new modules, which allows hackers to change the functionality of the virus without requiring the user to re-download the initial installer.
What to do?
Experts emphasize that for protection it is necessary to use only official sources of software. To do this, you should carefully check the pages you visit, literally reading every letter. You should not download anything from advertising publications on social networks or Google. Instead, use a regular Google search to go to sites – legitimate addresses are always listed first.
Additionally, it is worth having reliable security systems that can recognize suspicious behavior of processes in the system. Update your antivirus regularly if it does not happen automatically.