Reposify Blog

Telegram, the cloud-based instant messaging and voice over IP app, launched in 2013, has over 200 million monthly active users worldwide. The app, which prides itself on delivering enhanced security capabilities including private end-to-end encrypted chats, was quickly adopted for both peer to peer as well as business communication. However, this popular messaging app also has a dark side. Cyber criminals use this as a go-to-market channel for a wide range of shady and illegal activities.

Reposify’s research team discovered that approximately 50% of the Telegram accounts in their data set abused the platform in one way or another.

WHY CRIMINALS LOVE TELEGRAM?

There are 4 main capabilities that make Telegram the preferred alternative to the DarkNet.

1. Messaging Encryption - Complete Anonymity:

Telegram’s private end-to-end encrypted chats allow any user to send and receive notifications and shady offers instantly, while keeping their identity hidden. Telegram is a safe haven for criminal activities when compared to the exposed threads that are seen on criminal web forums on the dark web (which can be taken down by the authorities at any moment). Criminals feel at ease to connect, advertise their offering and share knowledge and compromised information. Illegal trade and hacking are just some examples of the activities that take place on Telegram’s channels and groups.

2. Easy and Direct Access

Entering the Dark Web via the TOR platform requires several steps to ensure an anonymous connection. With Telegram, anyone can search and join channels and groups with just a click of a button and start promoting illegal activities such as selling drugs and stolen credit cards. In addition, Telegram allows users to share files of nearly any type. We found malicious use of that feature by Telegram C2 servers that contained ZIP files with the stolen data from the victim's computer.

3. Bots and Cyber Crime Automation

Telegram bots are a new popular feature allowing third-party apps to run within the platform. Bots enhance the messaging experience and can be set up to carry out specific tasks. Legitimate uses of Telegram bots include automatic file converters, daily weather or horoscope notifications and more. Criminals were quick to leverage these bots for less legitimate purposes and stepped up their game by automating criminal activities while remaining invisible.

4. Fewer Security Concerns

Using Telegram, criminals have less security challenges to worry about since there is no need to register a host and domain or hide from search engines. This eliminates concerns relating to typical security issues that may impact a website such as DDoS style attacks as well as the need to use different methods to hide their website from the authorities.

In our research, we found Telegram Bots that leveraged the app to perform various malicious functions, ranging from command and control servers to bots that “helped” users order tailored escort services.

WHAT TYPE OF CRIMINAL ACTIVITIES GOES ON TELEGRAM?

Terror-related propaganda, fraudulent activities, illicit trade, and cyber crime are just some of the many examples of criminal activities that are taking place via this messaging app.

One specific example is the Masad Stealer malware which is sold as an off-the-shelf solution for cyber crime. This stealer malware is capable of stealing browser data, including saved credentials, login forms, and credit card information. It uses Telegram as a C2 server which leverages Telegram’s Bot API for sending commands and communication. The Masad Stealer sends all of the information it collects and is also able to receive commands from a Telegram bot controlled by the attacker.

How Malware Uses Telegram as C2

The following screenshot shows the malicious network traffic between the malware and the Telegram C2 server that we captured (using Burp):

Malware that uses Telegram as a C2 server uses the Telegram Bot API for sending commands and communication. The following link is an example of the BOT API request that used by malware in the wild: https://api.telegram.org/bot[API_KEY]:[API_HASH]/getMe

As you can see the above request contains the BOT API token which is built from API Key and API Hash and there is also getMe function (highlighted in blue).

The malware is using the getMe function to verify that the command and control server is up and ready to get the stolen data from the victim’s computer. If it is up, the “200 OK” response from the C2 will contain the BOT details (bot id, first name and, username):

Once the malware made sure that the C2 is up, it will use the send document Telegram BOT API function to send a ZIP file with the stolen data from the victim’s computer.

How we used Reposify’s proprietary IoT search engine and Yara Rules to hunt for malicious Telegram accounts on the internet

At the core of Reposify’s platform is our ability to scan the entire internet continuously for public IP addresses and automatically identify and classify all services and platforms that are scattered across the web. While we usually use this proprietary technology to help organizations discover, manage and secure their External Attack Surface, we decided to put it to work for additional good causes.

Our head of research, Asaf Aprozper, developed several sophisticated Yara Rules and combined it with Reposify’s internet scanning capabilities to hunt for malicious Telegram accounts on the global web.

Our process included 3 steps, which we will proceed to describe in detail;

Asaf Aprozper from Reposify at Code Blue

Step 1: Creating Yara Rules

Yara Rule #1: Capture Telegram’s Web Page account.

Our task was to write a rule that will enable us to capture Telegram accounts’ web pages. In order to create it, we analyzed the source code of a Telegram web page account. In our research, we found that

the HTML source code of the “Send Message” button contains the account’s username. By using this we were able to capture the usernames of the Telegram accounts’ web pages.

In the case, illustrated in the image to the right, the name of the Telegram account was “ReposifyBot”. This is a snippet of the HTML source code of the above “Send Message” button: <a class="tgme_action_button_new" href="tg://resolve?domain=ReposifyBot">Send Message</a>

Here is how this first Yara rule looks like: (You can find the rule on Github here)

Yara Rule #2: Capture Telegram Links

In addition to capturing Telegram web pages, we wanted to go one step further and hunt for Telegram links as well. Links to malicious Telegram accounts are often shared via legitimate social media apps (e.g YouTube) making it easy, on the one hand, to find but on the other hand, difficult to distinguish from legitimate accounts. This is an example of a link structure for joining a Telegram account: https://t.me/Username

Here is how this second Yara rule looks like: (You can find the rule on Github here)

Step 2: Scanning The Internet With Reposify’s Proprietary Scanning Technology

Once we had these 2 rules written, we executed them on Reposify’s database. Within just a few minutes we came up with an extensive list of Telegram accounts.

Step 3: Let The Hunt Begin

Once the list of accounts was ready, we needed to find a way to categorize the accounts and distinguish between real user accounts vs bots and group/channels accounts. To accomplish this we used Telethon and a list of suspicious identifiers. Telethon is a Python 3 library used to interact with Telegram's API as a user or through a bot account.

To compile a list of suspicious identifiers, we used malicious Telegram’s C2 servers that we found in the wild (including open-source frameworks) as well as predefined cyber crime keywords.

The following screenshot is the list of the suspicious identifiers we used. As you can see it contains multiple languages including Arabic, Persian, English and Russian.

Based on the above identifiers we created a PoC code and started hunting for malicious Telegram accounts using Telethon and the following logic:

As seen in the chart above, whenever a group or a channel were identified, we leveraged Telethon again to iterate through their entire message history and captured those which matched the suspicious identifiers we defined earlier.

If an account was identified as a bot, we utilized Telethon to automatically send message-commands such as “/start” and “/help”, waited 30 seconds for the output response, analyzed it and captured those which matched for one of the malicious identifiers in their response. When our PoC detected a regular user we skipped it and moved to the next username on the list.

RepoTele

The following is a screenshot of our PoC tool in action. We started by connecting with a Telegram API (that we defined in a CSV config file earlier) and continued with our above diagram. Get the tool here.

Matches

By using this process, we hunted various malicious Telegram bots, groups, and channels such as malicious command and control servers as well as a bot that “helped” users order tailored escort services. We also found black market channels and “closed” hacking groups. Once the hunt was completed we reported to Telegram on all the abusive accounts.

Here are a couple of screenshots of criminal accounts that we hunted and reported.

An automatic bot account that was used for buying stolen credit cards.

Bot account that offered female escort services.
By pressing any of the buttons, users could submit their preferences based on age, hair color, weight, etc.

Persian DarkNet channel which published a RAT for Windows.

Malicious Telegram C2 channel

How Can Organizations Stay Safe on Telegram?

In order to protect your organization from attackers that use Telegram as a C2 channel and find its way out of your network, Reposify’s team recommends blocking the “api.telegram.org” on your firewall or in your other network security systems. This will prevent the victim’s stolen data from reaching the attacker’s Telegram C2 server.

This is it for part one. Stay tuned for part two on how we hunted exposed and malicious Telegram APIs using Reposify and Yara Rules.

Quick Tip - How to overcome Telegram API’s limit

One of the obstacles we ran into during our research is Telegram API’s limit.

We discovered that Telegram has a limit on the number of API requests it enables a user to perform within 24 hours. This limit is currently set for a max of 200 requests per 24 hours. This was a setback because it meant we could only analyze 200 accounts per day. In order to overcome the API limit, we purchased a large amount of SIM cards. Then, through Telegram’s API development tools we obtained for each of them an api_id and api_hash to complete the authorization and then saved the credentials in a config session file for later use. Once we hit an API limit, we skipped to the next API we created in advance.

This blog is based on a talk given by our Head of Research, Asaf Aprozper, last year at BsidesCyprus and Code Blue Japan.

One year ago, an army of devices infected with Mirai malware amassed into a botnet that caused some of the largest DDoS attacks to date. The attacks targeted, among others, the major DNS provider Dyn and the website of Brian Krebs, a well-known investigative reporter who covers information security and cyber crime.

At the attack’s peak, the traffic on Krebs’ website reached 620 Gbit/s and surpassed 1 Tbit/s on Dyn’s servers.

Those attacks caused major services such as GitHub, Netflix, and Airbnb to be unavailable to users in Europe and North America for prolonged periods of time.

This week, security researchers are sounding the alarm that a malware more advanced than Mirai is affecting IoT devices on a scale that is greater than the one Mirai operated on. According to teams in the Israeli firm Check Point and the Chinese firm Netlab 360, the new worm–named IoT_reaper, IoTroop, or simply Reaper–is a powerful malware that borrows code from Mirai but extends and expands the latter’s capabilities. It’s estimated that over a million organizations have already been infected. The threat has not been activated yet and is still in an active phase of spreading.

Reposify -distribution of vulnerable devices

According to our data, the countries most vulnerable to IoT reaper by distribution of number of devices are South Korea, Brazil and the United States.

This new threat deserves our attention for a number of reasons. Unlike Mirai, Reaper does not attempt to crack the passwords of devices it targets, such as webcams and routers, but rather to exploit known vulnerabilities. Some of those vulnerabilities are fresh and were disclosed as recently as a few days ago. The list of susceptible devices includes models by some well-known vendors such as D-Link, TP-Link, and NETGEAR, as well as devices running the ubiquitous embedded web server GoAhead.

Another point of concern is the inclusion of a built-in Lua (an interpreted scripting language designed for embedded systems) execution environment, allowing for powerful and complex attacks.

Here at Reposify, we are in a unique position to truly appreciate the full potential of Reaper. As a company whose business is to understand IoT devices and digital assets worldwide, we have come up with a tool helping users to assess their own networks by checking their source IP.

Regardless of the sophistication and spread of Reaper, we hope the tools and knowledge shared here with the security community will help to mitigate and contain the attack when it strikes.

References

https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

https://research.checkpoint.com/new-iot-botnet-storm-coming/

https://research.checkpoint.com/iotroop-botnet-full-investigation/

https://en.wikipedia.org/wiki/2016_Dyn_cyberattack

https://en.wikipedia.org/wiki/Mirai_(malware)