However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.”
While cryptors either maintain offline encryption or don’t, this Trojan chooses to. In order to keep communication lines between the threat actor and ransomware concealed and protected, secure channels need to be created — and this often increases the cost of malware development.
To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.
By utilizing this channel rather than maintaining communication between the operator’s command and control center (C&C) over simple HTTP-based protocols, commonly used by many ransomware variants, security is improved and tracing the operator is more difficult.
These malicious actors are getting craftier by the day.