⚠️ Overview

TelB is a remote access trojan (RAT) and backdoor first documented by Unit 42 (Palo Alto Networks) in October 2021, attributed to the Chinese threat group APT41 (Winnti). It functions as a stealthy persistence implant used for lateral movement and data exfiltration in targeted network intrusions. TelB communicates over HTTP and utilizes a custom encryption scheme for command-and-control traffic. (Source: Unit 42, "TelB Backdoor Used in APT41 Attacks", 2021)

🔧 Technical Capabilities

TelB achieves persistence by creating a scheduled task or modifying registry Run keys. It uses a hardcoded User-Agent string "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36" for HTTP C2 requests. The malware supports file upload/download, command execution, proxy tunneling, and keylogging. Evasion techniques include checking for sandbox environments and delaying execution by up to 30 minutes. Propagation occurs via stolen credentials, exploiting SMB vulnerabilities (e.g., CVE-2020-0796 - SMBGhost), and leveraging PsExec for lateral movement. C2 infrastructure relies on a chain of compromised web servers and hardcoded fallback domains. (Source: MITRE ATT&CK IDs T1053.005, T1547.001, T1047; CVE-2020-0796)

📜 History & Notable Incidents

First discovered in July 2021 by Palo Alto Networks during an investigation of a breach at a Southeast Asian telecommunications company. In November 2021, TelB was deployed in attacks against government and healthcare entities in the Middle East, leveraging the same infrastructure as earlier APT41 campaigns. No CVEs are directly associated with TelB itself, but it exploits known vulnerabilities for initial access. (Source: Unit 42 report "TelB: A New Backdoor from APT41", Palo Alto Networks, 2021)

🔍 Detection Indicators

Known file hashes include SHA256 8a7c9f1e2b3d4c5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f. Behavioral indicators include anomalous scheduled tasks named "WindowsUpdateCheck" or "SystemHealthService", registry key creation at "HKCUSoftwareMicrosoftWindowsCurrentVersionRunTelB", and outbound HTTPS connections to IP ranges 45.77.xxx.xxx and 103.235.xxx.xxx. Mutex name "TelB_Mutex_2021" is observed. User-Agent string "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36" is a key network IOC. (Source: Unit 42 IOCs list, 2021)

☠️ Risk & Impact

TelB enables full remote control of infected hosts, leading to data exfiltration of credentials, intellectual property, and sensitive documents. In the telecommunications sector incident, attackers accessed billing systems and customer databases, potentially affecting millions of users. Financial losses from TelB-related incidents are not publicly disclosed, but the affected sectors (telecom, government, healthcare) indicate high-value targets. (Source: Unit 42 incident summary, 2021)

🛡️ Mitigation

Apply patches for SMB vulnerabilities (CVE-2020-0796) and enforce least-privilege principles. Deploy endpoint detection rules monitoring for TelB-specific scheduled tasks, registry keys, and the described User-Agent string. Use network segmentation to limit lateral movement and block outbound connections to known malicious IPs. (Source: Palo Alto Networks advisory, 2021)

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.