Threat actors are increasingly relying on Telegram and Discord apps for data exfiltration. Analysts at ANY.RUN shared a detailed guide to intercepting data stolen by malware from infected machines via these apps. The researchers outlined each step of the process and provided actionable tips that can be useful in threat investigations.
Collecting Threat Actors’ Chat ID and Bot Token
To start the process of collecting threat actor’s Chat ID and bot token, the analysts found a relevant malware sample related to the domain “api.telegram.org” using ANY.RUN’s Threat Intelligence Lookup. The service includes a searchable database of threat data collected from millions of analysis sessions performed in the ANY.RUN sandbox.
After discovering a sample, the analysts once again detonated it in the sandbox to observe all the requests directed to api.telegram.org to examine its interaction with Telegram’s API.
After analyzing the malware’s POST requests, the analysts collected case, the bot token (a key used for authentication) and the chat_id (which identifies the recipient chat).
The sandbox also allowed researchers to view the server’s response, which contained useful information in JSON format, including chat_id, bot username, bot name, chat name, and chat type.
Integrate interactive malware sandbox from ANY.RUN in your organization. Sign up for a free account using a business email.
After acquiring the attacker’s chat_id and bot token, the analysts initiated the process of checking whether the bot has a webhook.
If a webhook is present, it’s crucial to save its data and then delete it using the /deleteWebhook method.
Once the webhook is handled, the analysts created a Telegram group and added a bot to it.
Using the /forwardMessage method with the extracted chat_id and message_id, the analysts were finally able to forward the desired message from the attacker’s chat to the group.
Learn more about the entire process and see how you can copy all messages from attackers’ chats on the ANY.RUN blog
Integrate Private ANY.RUN Malware Sandbox in Your Organization
ANY.RUN’s malware sandbox offers a range of features that make it stand out for threat analysis:
- Private mode: Securely analyze malware in a completely isolated environment, ensuring privacy and protection.
- Real-time interaction: Interact directly with the system to see how malware responds to your inputs.
- Windows and Linux VM support: Investigate suspicious files on different operating systems to capture platform-specific threats.
- Detailed reporting: Receive comprehensive reports, including all Indicators of Compromise (IOCs), network activity, and process trees for thorough analysis.
Request a 14-day free trial to test all capabilities of the ANY.RUN sandbox.