In our talk, we will reveal how we leveraged sophisticated Yara rules to capture Telegram channels, groups, and even bots on the Internet. But that's not all, we’ll show the audience how we built an automated fraud hunting tool, which, upon the insertion of a Telegram API key will detect whether it’s a bot, channel or group and accordingly will reveal their dark secrets such as C&C servers, Black Markets, and Women Abuse. We will reveal the awful truth about how adversaries abusing legitimate apps such as Telegram in order to disguise their cybercrime activities from the authorities. The Telegram messaging app has experienced significant growth, adding hundreds of thousands of new users daily. Fraudsters mainly utilized Telegram groups and channels to organize their communities. This is where fraudsters advertise, connect and share knowledge and compromised information, much like the role forums play on the dark web. Channels, on the other hand, are groups in which only the administrator is authorized to post and regular members have access to view, similar to blogs. Telegram even allows creating multi-functional bots, which are unique Telegram accounts that do not require a phone number to set up. These bots can perform harmless tasks like creating cat memes on demand, accepting payments, act as a digital storefront but could also be leveraged to perform malicious functions. Due to Telegram’s rich feature set and rapid adoption, Telegram has become a sought after tool on the fraud scene.

1. Leveraging Yara Rules to
Hunt for Abused
Telegram Accounts
Asaf Aprozper
@3pun0x

2. 50%of the Telegram accounts in my research abused the
platform in one way or the other

3. PRESENTATION
TAKEAWAY
S
01. IoT global search engines
02. Yara rules
03. Telegram
04. C2 servers
05. Remediation
06. Ideas

4. ASAF APROZPER
● Head of Research at Reposify
● Asaf Yara rules
● Creator of CoffeeShot framework

5. Cybercrime on the Internet
What Is Cyber Crime?

6. Cyber Crimes
Hacking
Money
Laundering Fraud
illegal
pornography
Identity
theft
DDoS

7. Cybercrime Is Not Just for Hackers
● No need to be hacker or coder
● Darknet markets TOR links can be found on Google
● A difficult place to navigate
● Having trouble getting to the more evil sites

8. The Darknet is
a hive of illegal
activities

9. CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME
CYBER CRIME

11. From a Hacker Hobby into
a Capitalist Market
Cyber Crime + Money = Market

12. The Criminal's Perspective
It wasn’t long...

13. Using Telegram for
Cyber Crime

15. Using Telegram for Cybercrime
● Launched in 2013
● 200m active users monthly
● Pride for its enhanced security capabilities
● Private end-to-end encrypted chats

16. Using Telegram for Cybercrime
● Groups with up to 30k members
● Channels of unlimited subscribers
● Share files of nearly any type

17. Using Telegram for Cybercrime
● Anyone can enjoy an encrypted chat
● No early steps required to hide the identity
● Receiving shady offers with a single tap

18. Telegram Bots for
Cyber Crime
Automation

19. Telegram Bots
● Allowing third-party apps to run
● Rich set of features and quick adoption
Legitimate uses: Automatic file converters, daily weather...

20. Cybercriminals Next Step
● Automate Cyber Crime and remain invisible
● No need to register a host and domain
● DDoS style attacks become irrelevant

21. Using Telegram Bots Eliminates
● The need to protect and hide their websites
● The fear of monitoring by law enforcement

22. Valuable Alternative

23. Malware Uses Telegram as C2
● Telegram BOT API for communications
https://api.telegram.org/bot[API_KEY]:[API_HASH]
/getMe

24. Malware - Masad Stealer

25. Malware - Masad Stealer

26. Masad Stealer C2 - getMe

27. Masad Stealer C2 - getMe

28. Masad Stealer - sendDocument

29. Telegram C2 Server Framework

30. Telegram C2 Server Framework

31. Telegram BOT C2 Screenshots

32. Telegram BOT C2 Screenshots

33. Leveraging Yara
Rules to Hunt for
Abused
Telegram
Accounts on the
Internet

34. The Research - How It Started?
“Is it possible to hunt for Telegram C2 servers?”

35. The Research - First Obstacle
● Hunt for a specific string
● Large amount of webpages
● Python + RegEx - Low Performance

36. Why Using Yara
● Long-time experience
● Proven to be more effective with high performance
● Unique combinations

37. Testing Yara vs Python Operators
Python operators Yara rules

38. Writing Sophisticated Yara Rules
● Telegram links
● Telegram Web Pages
● Exposed Telegram API Tokens

39. Capturing Telegram Accounts Web Pages
<a class="tgme_action_button_new"
href="tg://resolve?domain=ReposifyBot">Send
Message</a>

40. First Yara Rule - Telegram Web Pages

41. https://t.me/Username
Capturing Telegram Links
● Expand research by capturing Telegram links on the
Internet

42. Second Yara Rule - Telegram Links

43. Exposed Telegram APIs
api.telegram.org/bot[API_KEY]:[API_HASH]

44. Third Yara Rule - Exposed Telegram APIs

45. Combine Yara Rules with IoT Search Engine
● Reposify’s IoT Global Search Engine
● Stopped after a couple of minutes - List was too big

46. You Can Also Scan the Internet
● IoT global search engines
● Open source tools

47. The Research - Next Step
● A Long list that contains Telegram accounts
● Next step Telethon

48. Using Telethon

49. Create Yara
rules to hunt for
Telegram web
pages, links and
exposed APIs
STEP ONE STEP TWO STEP THREE STEP FOUR
The Steps
Scan the
internet with
my Yara rules
Output list of
Telegram
usernames and
APIs
Using Telethon
to divide
usernames to
groups,
channels, bots
and users

50. Telegram API Limit
● 24 hours block after 200 API requests
● Meaning scanning only 200 Telegram accounts daily

51. Overcome the API Limit

52. Suspicious Identifiers

53. TELETHON
Channel Group
User
BOT
/start
/help
Iterate history
messages
Analyze
output
MATCHED
NOT MATCHED

54. RepoTele - PoC

55. Summary of Malicious Matches
● C2 servers
● Sexual exploitation
● Black markets
● Hacking groups

56. Malware C2 - Masad Stealer

57. Malware C2 - Masad Stealer

58. Malware C2 - Masad Stealer

59. DarkNet Channel - RAT for Windows

60. Bot for Buying Stolen Credit Cards

61. Bot for Ordering Your Perfect Women

62. Bot for Ordering Drugs

63. Exposed Telegram API Tokens
● Using forwardMessage
● Full control on Telegram BOT
● Access to history messages

64. api.telegram.org/bot[API_KEY]:[API_HASH]/forwardMessage?
chat_id=123456789&from_chat_id=123456789&message_id=4
Telegram forwardMessage API Abusing

65. Hack the Hacker

66. Remediation
“api.telegram.org”

67. Accidentally Sending Commands to Real Users

68. Accidentally Sending Commands to Real Users

69. Accidentally Sending Commands to Real Users

70. Taking out the
Trash
Abuse@telegram.org

71. What’s Next?
● Improve my script
● Keep hunting for Telegram abused accounts
● Focus on hunting on threat intelligence websites

72. THANK
YOU
ASAF APROZPER
@3pun0x asaf@reposify.com
github.com/3pun0x/RepoTele