The article explains how malware exfiltrates data through Telegram and Discord and how to intercept and analyze that activity using the Telegram API, Discord webhooks, and MITM techniques. It also provides step-by-step guidance, Python scripts, and sandbox evidence to help identify threat actors and sample families. Hashtags: #ANYRUN #TelegramAPI #DiscordWebhooks #ThreatIntelligenceLookup #MITMProxy
Keypoints
- Malware often uses Telegram and Discord for data exfiltration due to their simplicity and lack of need for complex server infrastructure.
- Threat Intelligence Lookup can be used to find relevant malware samples and related threat evidence.
- MITM Proxy can be enabled to inspect HTTP requests during sandbox sessions to observe exfiltration methods.
- Telegram API methods such as /sendMessage and /sendDocument are commonly used for exfiltration of text and files.
- The presence of a Telegram webhook indicates a higher chance of detection; absence lowers detection risk.
- Python scripts are provided for automating bot creation, forwarding messages, and managing groups and bots.
- Discord uses webhooks and a Snowflake ID system that complicates message retrieval and forensics.
MITRE Techniques
- [T1041] Exfiltration Over Command and Control Channel β Malware uses Telegram and Discord APIs to send exfiltrated data. βMalware uses Telegram and Discord APIs to send exfiltrated data.β
- [T1071] Application Layer Protocol β Utilizes Telegram and Discord as application layer protocols for data transmission. βUtilizes Telegram and Discord as application layer protocols for data transmission.β
- [T1022] Data Encrypted β Data sent via Telegram and Discord may be encrypted, depending on the implementation. βData sent via Telegram and Discord may be encrypted, depending on the implementation.β
Indicators of Compromise
- [MD5] Malware hashes β ddbaaa52ea1192377573a76e4ac8fb7b, 6aba4665085cf92ad3d569a7b37f2b53, and 4 more hashes
- [SHA256] Malware hashes β 4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897, 7f158a2e68162d7e882dc389c8c4d8e4dcd1161272fd4ba5a2edd63e31385f69, and 4 more hashes
- [File Name] Malicious binary/file names β SOA.pdf.exe, svchost.exe / Builder.exe, and 4 more
- [URL] Telegram API endpoints β https://api.telegram.org/bot/getWebhookInfo, https://api.telegram.org/bot/sendMessage
- [URL] Discord webhook endpoints β https://discord.com/api/webhooks//, https://discord.com/api/webhooks///messages/
- [Credential] Telegram bot tokens β redacted_token_1, redacted_token_2
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/intercept-stolen-data-in-telegram/