SOC Prime Bias: Medium

27 Apr 2026 18:22
newspaper icon dmpdump

Rebex-based Telegram RAT Targeting Vietnam

Author Photo
SOC Prime Team linkedin icon Follow
Rebex-based Telegram RAT Targeting Vietnam
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A malicious CHM file delivered inside a ZIP archive drops a rogue Python runtime along with a C++ DLL that decrypts an embedded payload. That payload establishes persistence through a Winlogon shell hijack, a scheduled task, and abuse of MSBuild, then launches a .NET-based Telegram RAT. The malware communicates with a Telegram bot using a hard-coded token and supports command execution, token replacement, and file download. The campaign has been observed targeting victims in Vietnam and currently shows no detections on VirusTotal.

Investigation

Analysis of the CHM file revealed a script that decompiled the archive, cleared PYTHONHOME, and launched a renamed Python executable with a compiled bytecode file. The bytecode then loaded a DLL that decrypted an encrypted DOCX blob, extracted additional components, and wrote them to temporary locations. The DLL created registry entries, scheduled a task named Doubt, and executed an MSBuild XML file to load a second DLL, which ultimately deployed the .NET Telegram RAT. The RAT relied on hard-coded Telegram bot credentials for command-and-control.

Mitigation

Defenders should block execution of CHM files from untrusted sources and restrict the use of hh.exe, msbuild.exe, and PowerShell for unsigned or suspicious scripts. Monitoring should focus on Winlogon Shell registry modifications, unusual scheduled task creation, and newly dropped DLLs in temporary directories. Organizations should also inspect Telegram API traffic through proxy controls and enforce least-privilege access for end users.

Response

Security teams should identify and isolate affected hosts, collect volatile evidence, and extract the malicious DLLs and scripts for analysis. The Winlogon Shell value and the scheduled task should be removed, dropped files deleted, and altered registry settings restored to a known-good state. Any exposed Telegram bot tokens should be rotated immediately, and defenders should continue monitoring for additional command-and-control activity. A full forensic investigation is recommended to determine whether data was exfiltrated.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef registry fill:#ffddaa %% Nodes initial_access_phishing["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Email with malicious CHM disguised as Word document sent to victim."] class initial_access_phishing action file_chm["<b>Malware</b> – <b>File</b>: CV – Vu PLPC KT nam 2026.chm<br/>Disguised with doubleu2011extension to appear as .doc."] class file_chm malware defense_masquerade["<b>Action</b> – <b>T1036.008 Masquerading</b><br/>CHM file masquerades as Word document using double extension."] class defense_masquerade action defense_obfuscation["<b>Action</b> – <b>T1027.006 Obfuscated Files or Information</b><br/>HTML smuggling hides malicious code inside CHM."] class defense_obfuscation action execution_user["<b>Action</b> – <b>T1204.002 User Execution</b><br/>Victim opens CHM, HTML/JS runs OBJECT tag launching cmd.exe."] class execution_user action process_cmd["<b>Process</b> – cmd.exe<br/>Launched by CHM via OBJECT tag."] class process_cmd process execution_msbuild["<b>Action</b> – <b>T1127.001 Trusted Developer Utilities Proxy Execution</b><br/>Script drops mechaniSm.xml and calls msbuild.exe to load malicious .NET DLL."] class execution_msbuild action tool_msbuild["<b>Tool</b> – msbuild.exe<br/>Used to load ioy24euj.dll."] class tool_msbuild tool file_dll["<b>Malware</b> – <b>DLL</b>: ioy24euj.dll<br/>Contains .NET code for persistence and payload delivery."] class file_dll malware persistence_autostart["<b>Action</b> – <b>T1547.014 Active Setup</b><br/>DLL modifies HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to point to renamed msbuild wrapper."] class persistence_autostart action registry_mod["<b>Registry</b> – HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell<br/>Set to custom msbuild wrapper for autou2011run."] class registry_mod registry persistence_event["<b>Action</b> – <b>T1546.009 AppCert DLLs</b><br/>DLL loaded via ctypes.CDLL and later executed to decrypt further payloads."] class persistence_event action dll_load["<b>Process</b> – ctypes.CDLL load<br/>Loads the malicious DLL into process space."] class dll_load process privilege_injection["<b>Action</b> – <b>T1055.001 Process Injection</b><br/>DLL injects code into cmd.exe to run payloads."] class privilege_injection action process_injection["<b>Process</b> – DLL injection into cmd.exe<br/>Enables execution of further malicious routines."] class process_injection process command_and_control["<b>Action</b> – <b>T1573 Encrypted Channel</b><br/>.NET RAT communicates with Telegram bot using XORu2011encrypted and base64 encoded messages."] class command_and_control action c2_telegram["<b>Tool</b> – Telegram bot<br/>Receives commands and exfiltrates data via encrypted channel."] class c2_telegram tool impact_shutdown["<b>Action</b> – <b>T1529 System Shutdown/Reboot</b><br/>Scheduled task u201cDoubtu201d created to shut down system every Friday at midnight."] class impact_shutdown action scheduled_task["<b>Process</b> – Scheduled Task u201cDoubtu201d<br/>Triggers system shutdown on schedule."] class scheduled_task process %% Connections initial_access_phishing –>|delivers| file_chm file_chm –>|uses| defense_masquerade file_chm –>|uses| defense_obfuscation file_chm –>|triggers| execution_user execution_user –>|launches| process_cmd process_cmd –>|enables| execution_msbuild execution_msbuild –>|uses| tool_msbuild tool_msbuild –>|loads| file_dll file_dll –>|enables| persistence_autostart persistence_autostart –>|modifies| registry_mod file_dll –>|enables| persistence_event persistence_event –>|loads via| dll_load dll_load –>|performs| privilege_injection privilege_injection –>|injects into| process_injection process_injection –>|facilitates| command_and_control command_and_control –>|uses| c2_telegram command_and_control –>|leads to| impact_shutdown impact_shutdown –>|creates| scheduled_task "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative directly reflect the identified TTPs and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands

    1. Delivery: The attacker delivers a malicious .chm file (named UpdateHelp.chm) to the victim.

    2. Decompilation: The victim (or a malicious script) runs hh.exe with the -decompile flag to extract the embedded payload:

      hh.exe -decompile C:TempPayloads C:UsersPublicUpdateHelp.chm

      This generates the process‑creation event that the rule watches (hh.exe + -decompile).

    3. Payload Execution – Renamed Interpreter: Inside the extracted files is a renamed Python interpreter (_pJifgWSwPi.exe). The attacker launches it via cmd.exe to maintain a low profile:

      cmd.exe /c "C:TempPayloads_pJifgWSwPi.exe -c "import os; os.system('whoami')""

      This satisfies the cmd.exe condition of the rule.

    4. Signed‑Binary Proxy – Msbuild: The Python payload writes a malicious .proj file and then invokes msbuild.exe to execute it, achieving persistence or further code execution:

      msbuild.exe C:TempPayloadsmalicious.proj /target:Build

  • Regression Test Script

    #=============================================================
# CHM‑Based Attack Simulation – Triggers Sigma Rule
#=============================================================

# Variables
$chmPath   = "C:UsersPublicUpdateHelp.chm"
$outFolder = "C:TempPayloads"
$renamedPy = "_pJifgWSwPi.exe"
$projFile  = "malicious.proj"

# 1. Ensure output folder exists
New-Item -ItemType Directory -Force -Path $outFolder | Out-Null

# 2. Simulate decompiling the CHM file
Write-Host "[*] Decompiling CHM..."
hh.exe -decompile $outFolder $chmPath

# 3. Place a copy of python.exe (or any benign exe) as the renamed interpreter
Copy-Item -Path "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" `
          -Destination "$outFolder$renamedPy" -Force

# 4. Execute the renamed interpreter via cmd.exe
Write-Host "[*] Launching renamed interpreter via cmd.exe..."
cmd.exe /c "`"$outFolder$renamedPy`" -c `"Write-Host 'Simulated payload executed'`""

# 5. Create a trivial msbuild project that echoes a message
$projContent = @"
<Project ToolsVersion='4.0' xmlns='http://schemas.microsoft.com/developer/msbuild/2003'>
  <Target Name='Build'>
    <Message Text='Msbuild executed malicious project' Importance='High'/>
  </Target>
</Project>
"@
Set-Content -Path "$outFolder$projFile" -Value $projContent -Encoding ASCII

# 6. Run msbuild.exe on the malicious project
Write-Host "[*] Executing msbuild.exe..."
msbuild.exe "$outFolder$projFile" /target:Build

Write-Host "[+] Simulation complete."

  • Cleanup Commands

    # Stop any lingering processes (if still running)
Get-Process -Name "_pJifgWSwPi","hh","msbuild","cmd" -ErrorAction SilentlyContinue |
  Stop-Process -Force

# Remove generated files and folders
Remove-Item -Recurse -Force -Path "C:TempPayloads"
# Optionally delete the CHM file if it was created for the test
Remove-Item -Force -Path "C:UsersPublicUpdateHelp.chm" -ErrorAction SilentlyContinue

Write-Host "[+] Cleanup completed."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free