This article examines a scenario that works similarly to the CVE-2024-7014 vulnerability. A file with an ".htm" extension is disguised as a video and sent via the Telegram API, and while the user expects a video, the JavaScript code inside the HTML is actually executed.
Video:
Technical Details
Evilloader is a loader that allows attackers to download and run additional malicious payloads on target systems. CVE-2024-7014 describes an update in the anti-analysis mechanisms of this module. In this scenario, a fake video leads the victim to a malware (fake play protect) download page and then sends an IP logger as well.Vulnerability Details
The main reason for the vulnerability is that the ".htm" file format in the response to Telegram servers is perceived as a video. The ".htm" code snippet is opened in a browser under "content://". That is: content://org.telegram.messenger.provider/media/Android/data/org.telegram.messenger/files/Telegram/Telegram%20Video/4_5924894289476721732.htm The content is opened, allowing the specified HTML page to be triggered and opened.
Scenario (ip logger)
The victim may try to open this file with a video player, and upon failing (since it's not an actual video format), it can redirect to the default browser, or if it is understood to be an "HTML file," it can be double-clicked to open in the browser. This allows the malicious JavaScript to run.If the victim downloaded the file from Telegram thinking it was a video, the browser actually runs the HTML content, and the IP information goes to the attacker's server.
Download Exploit
Download Exploit
Last edited: