Threat Research

Telekopye: Hunting Mammoths using Telegram bot

Securonix

Telekopye is a Telegram-based toolkit that helps scammers run targeted phishing campaigns by generating phishing web pages, emails, and SMS for online marketplaces. The article analyzes its features, its group-based organization, and how operators referred to as Neanderthals use it to deceive Mammoths, including how content is produced and payouts are managed. #Telekopye #Neanderthals #Mammoths #OLX #eBay

Keypoints

  • Telekopye operates as a Telegram bot that helps scammers scam victims by generating scam content.
  • It targets online marketplaces, notably Russia-popular platforms, while also aiming at global sites.
  • The toolkit creates phishing web pages from templates and can generate and send phishing emails and SMS messages.
  • User groups are organized in a clear hierarchy (Administrators, Moderators, Good workers/Support bots, Workers, Blocked).
    • Telekopye includes features such as a group interface, country-based phishing templates, and capabilities for image manipulation and fake screenshots.

MITRE Techniques

  • [T1589] Gather Victim Identity Information – Telekopye is used to gather debit/credit card details, phone numbers, emails, etc. via phishing web pages. ‘Telekopye is used to gather debit/credit card details, phone numbers, emails, etc. via phishing web pages.’
  • [T1583.001] Acquire Infrastructure: Domains – Telekopye operators register their own domains. ‘Telekopye operators register their own domains.’
  • [T1585] Establish Accounts – Telekopye operators establish accounts on online marketplaces. ‘Telekopye operators establish accounts on online marketplaces.’
  • [T1585.002] Establish Accounts: Email Accounts – Telekopye operators set up email addresses associated with the domains they register. ‘Telekopye operators set up email addresses associated with the domains they register.’
  • [T1586.002] Compromise Accounts: Email Accounts – Telekopye operators use compromised email accounts to increase their stealthiness. ‘Telekopye operators use compromised email accounts to increase their stealthiness.’
  • [T1587.001] Develop Capabilities: Malware – Telekopye is custom malware. ‘Telekopye is custom malware.’
  • [T1566.002] Initial Access: Phishing: Spearphishing Link – Telekopye sends links to phishing websites in emails or SMS messages. ‘Telekopye sends links to phishing websites in emails or SMS messages.’
  • [T1056.003] Collection: Input Capture: Web Portal Capture – Web pages created by Telekopye capture sensitive information and report it to operators. ‘Web pages created by Telekopye capture sensitive information and report it to operators.’

Indicators of Compromise

  • [SHA-1] Telekopye scam toolkit – 26727D5FCEEF79DE2401CA0C9B2974CD99226DCB, 285E0573EF667C6FB7AEB1608BA1AF9E2C86B452, and 8A3CA9EFA2631435016A4F38FF153E52C647146E
  • [Filename] Telekopye related files – scam.php, tinkoff.php, 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a.php
  • [Domain] Telekopye testing domains – id23352352.ru, id8092.ru

Read more: https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint