Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Leveraging Yara Rules to Hunt for Abused Telegram Accounts Asaf Aprozper @3pun0x
50%of the Telegram accounts in my research abused the platform in one way or the other
PRESENTATION TAKEAWAY S 01. IoT global search engines 02. Yara rules 03. Telegram 04. C2 servers 05. Remediation 06. Ideas
ASAF APROZPER ● Head of Research at Reposify ● Asaf Yara rules ● Creator of CoffeeShot framework
Cybercrime on the Internet What Is Cyber Crime?
Cyber Crimes Hacking Money Laundering Fraud illegal pornography Identity theft DDoS
Cybercrime Is Not Just for Hackers ● No need to be hacker or coder ● Darknet markets TOR links can be found on Google ● A ...
The Darknet is a hive of illegal activities
CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CY...
From a Hacker Hobby into a Capitalist Market Cyber Crime + Money = Market
The Criminal's Perspective It wasn’t long...
Using Telegram for Cyber Crime
Using Telegram for Cybercrime ● Launched in 2013 ● 200m active users monthly ● Pride for its enhanced security capabilitie...
Using Telegram for Cybercrime ● Groups with up to 30k members ● Channels of unlimited subscribers ● Share files of nearly a...
Using Telegram for Cybercrime ● Anyone can enjoy an encrypted chat ● No early steps required to hide the identity ● Receiv...
Telegram Bots for Cyber Crime Automation
Telegram Bots ● Allowing third-party apps to run ● Rich set of features and quick adoption Legitimate uses: Automatic file ...
Cybercriminals Next Step ● Automate Cyber Crime and remain invisible ● No need to register a host and domain ● DDoS style ...
Using Telegram Bots Eliminates ● The need to protect and hide their websites ● The fear of monitoring by law enforcement
Valuable Alternative
Malware Uses Telegram as C2 ● Telegram BOT API for communications https://api.telegram.org/bot[API_KEY]:[API_HASH] /getMe
Malware - Masad Stealer
Malware - Masad Stealer
Masad Stealer C2 - getMe
Masad Stealer C2 - getMe
Masad Stealer - sendDocument
Telegram C2 Server Framework
Telegram C2 Server Framework
Telegram BOT C2 Screenshots
Telegram BOT C2 Screenshots
Leveraging Yara Rules to Hunt for Abused Telegram Accounts on the Internet
The Research - How It Started? “Is it possible to hunt for Telegram C2 servers?”
The Research - First Obstacle ● Hunt for a specific string ● Large amount of webpages ● Python + RegEx - Low Performance
Why Using Yara ● Long-time experience ● Proven to be more effective with high performance ● Unique combinations
Testing Yara vs Python Operators Python operators Yara rules
Writing Sophisticated Yara Rules ● Telegram links ● Telegram Web Pages ● Exposed Telegram API Tokens
Capturing Telegram Accounts Web Pages <a class="tgme_action_button_new" href="tg://resolve?domain=ReposifyBot">Send Messag...
First Yara Rule - Telegram Web Pages
https://t.me/Username Capturing Telegram Links ● Expand research by capturing Telegram links on the Internet
Second Yara Rule - Telegram Links
Exposed Telegram APIs api.telegram.org/bot[API_KEY]:[API_HASH]
Third Yara Rule - Exposed Telegram APIs
Combine Yara Rules with IoT Search Engine ● Reposify’s IoT Global Search Engine ● Stopped after a couple of minutes - List...
You Can Also Scan the Internet ● IoT global search engines ● Open source tools
The Research - Next Step ● A Long list that contains Telegram accounts ● Next step Telethon
Using Telethon
Create Yara rules to hunt for Telegram web pages, links and exposed APIs STEP ONE STEP TWO STEP THREE STEP FOUR The Steps ...
Telegram API Limit ● 24 hours block after 200 API requests ● Meaning scanning only 200 Telegram accounts daily
Overcome the API Limit
Suspicious Identifiers
TELETHON Channel Group User BOT /start /help Iterate history messages Analyze output MATCHED NOT MATCHED
RepoTele - PoC
Summary of Malicious Matches ● C2 servers ● Sexual exploitation ● Black markets ● Hacking groups
Malware C2 - Masad Stealer
Malware C2 - Masad Stealer
Malware C2 - Masad Stealer
DarkNet Channel - RAT for Windows
Bot for Buying Stolen Credit Cards
Bot for Ordering Your Perfect Women
Bot for Ordering Drugs
Exposed Telegram API Tokens ● Using forwardMessage ● Full control on Telegram BOT ● Access to history messages
api.telegram.org/bot[API_KEY]:[API_HASH]/forwardMessage? chat_id=123456789&from_chat_id=123456789&message_id=4 Telegram fo...
Hack the Hacker
Remediation “api.telegram.org”
Accidentally Sending Commands to Real Users
Accidentally Sending Commands to Real Users
Accidentally Sending Commands to Real Users
Taking out the Trash Abuse@telegram.org
What’s Next? ● Improve my script ● Keep hunting for Telegram abused accounts ● Focus on hunting on threat intelligence web...
THANK YOU ASAF APROZPER @3pun0x asaf@reposify.com github.com/3pun0x/RepoTele
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Aprozper
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Aprozper
Upcoming SlideShare
Loading in …5
×

[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Aprozper

108 views

Published on

In our talk, we will reveal how we leveraged sophisticated Yara rules to capture Telegram channels, groups, and even bots on the Internet. But that's not all, we’ll show the audience how we built an automated fraud hunting tool, which, upon the insertion of a Telegram API key will detect whether it’s a bot, channel or group and accordingly will reveal their dark secrets such as C&C servers, Black Markets, and Women Abuse. We will reveal the awful truth about how adversaries abusing legitimate apps such as Telegram in order to disguise their cybercrime activities from the authorities.
The Telegram messaging app has experienced significant growth, adding hundreds of thousands of new users daily. Fraudsters mainly utilized Telegram groups and channels to organize their communities. This is where fraudsters advertise, connect and share knowledge and compromised information, much like the role forums play on the dark web. Channels, on the other hand, are groups in which only the administrator is authorized to post and regular members have access to view, similar to blogs. Telegram even allows creating multi-functional bots, which are unique Telegram accounts that do not require a phone number to set up. These bots can perform harmless tasks like creating cat memes on demand, accepting payments, act as a digital storefront but could also be leveraged to perform malicious functions. Due to Telegram’s rich feature set and rapid adoption, Telegram has become a sought after tool on the fraud scene.

Published in: Presentations & Public Speaking
no profile picture user
  • Could you use an extra $1750 a week? I'm guessing you could right? If you would like to see how you could make this type of money, right from the comfort of your own home, you absolutely need to check out this short free video.  http://t.cn/AisJWCv6
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Aprozper

  1. 1. Leveraging Yara Rules to Hunt for Abused Telegram Accounts Asaf Aprozper @3pun0x
  2. 2. 50%of the Telegram accounts in my research abused the platform in one way or the other
  3. 3. PRESENTATION TAKEAWAY S 01. IoT global search engines 02. Yara rules 03. Telegram 04. C2 servers 05. Remediation 06. Ideas
  4. 4. ASAF APROZPER ● Head of Research at Reposify ● Asaf Yara rules ● Creator of CoffeeShot framework
  5. 5. Cybercrime on the Internet What Is Cyber Crime?
  6. 6. Cyber Crimes Hacking Money Laundering Fraud illegal pornography Identity theft DDoS
  7. 7. Cybercrime Is Not Just for Hackers ● No need to be hacker or coder ● Darknet markets TOR links can be found on Google ● A difficult place to navigate ● Having trouble getting to the more evil sites
  8. 8. The Darknet is a hive of illegal activities
  9. 9. CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME CYBER CRIME
  10. 10. From a Hacker Hobby into a Capitalist Market Cyber Crime + Money = Market
  11. 11. The Criminal's Perspective It wasn’t long...
  12. 12. Using Telegram for Cyber Crime
  13. 13. Using Telegram for Cybercrime ● Launched in 2013 ● 200m active users monthly ● Pride for its enhanced security capabilities ● Private end-to-end encrypted chats
  14. 14. Using Telegram for Cybercrime ● Groups with up to 30k members ● Channels of unlimited subscribers ● Share files of nearly any type
  15. 15. Using Telegram for Cybercrime ● Anyone can enjoy an encrypted chat ● No early steps required to hide the identity ● Receiving shady offers with a single tap
  16. 16. Telegram Bots for Cyber Crime Automation
  17. 17. Telegram Bots ● Allowing third-party apps to run ● Rich set of features and quick adoption Legitimate uses: Automatic file converters, daily weather...
  18. 18. Cybercriminals Next Step ● Automate Cyber Crime and remain invisible ● No need to register a host and domain ● DDoS style attacks become irrelevant
  19. 19. Using Telegram Bots Eliminates ● The need to protect and hide their websites ● The fear of monitoring by law enforcement
  20. 20. Valuable Alternative
  21. 21. Malware Uses Telegram as C2 ● Telegram BOT API for communications https://api.telegram.org/bot[API_KEY]:[API_HASH] /getMe
  22. 22. Malware - Masad Stealer
  23. 23. Malware - Masad Stealer
  24. 24. Masad Stealer C2 - getMe
  25. 25. Masad Stealer C2 - getMe
  26. 26. Masad Stealer - sendDocument
  27. 27. Telegram C2 Server Framework
  28. 28. Telegram C2 Server Framework
  29. 29. Telegram BOT C2 Screenshots
  30. 30. Telegram BOT C2 Screenshots
  31. 31. Leveraging Yara Rules to Hunt for Abused Telegram Accounts on the Internet
  32. 32. The Research - How It Started? “Is it possible to hunt for Telegram C2 servers?”
  33. 33. The Research - First Obstacle ● Hunt for a specific string ● Large amount of webpages ● Python + RegEx - Low Performance
  34. 34. Why Using Yara ● Long-time experience ● Proven to be more effective with high performance ● Unique combinations
  35. 35. Testing Yara vs Python Operators Python operators Yara rules
  36. 36. Writing Sophisticated Yara Rules ● Telegram links ● Telegram Web Pages ● Exposed Telegram API Tokens
  37. 37. Capturing Telegram Accounts Web Pages <a class="tgme_action_button_new" href="tg://resolve?domain=ReposifyBot">Send Message</a>
  38. 38. First Yara Rule - Telegram Web Pages
  39. 39. https://t.me/Username Capturing Telegram Links ● Expand research by capturing Telegram links on the Internet
  40. 40. Second Yara Rule - Telegram Links
  41. 41. Exposed Telegram APIs api.telegram.org/bot[API_KEY]:[API_HASH]
  42. 42. Third Yara Rule - Exposed Telegram APIs
  43. 43. Combine Yara Rules with IoT Search Engine ● Reposify’s IoT Global Search Engine ● Stopped after a couple of minutes - List was too big
  44. 44. You Can Also Scan the Internet ● IoT global search engines ● Open source tools
  45. 45. The Research - Next Step ● A Long list that contains Telegram accounts ● Next step Telethon
  46. 46. Using Telethon
  47. 47. Create Yara rules to hunt for Telegram web pages, links and exposed APIs STEP ONE STEP TWO STEP THREE STEP FOUR The Steps Scan the internet with my Yara rules Output list of Telegram usernames and APIs Using Telethon to divide usernames to groups, channels, bots and users
  48. 48. Telegram API Limit ● 24 hours block after 200 API requests ● Meaning scanning only 200 Telegram accounts daily
  49. 49. Overcome the API Limit
  50. 50. Suspicious Identifiers
  51. 51. TELETHON Channel Group User BOT /start /help Iterate history messages Analyze output MATCHED NOT MATCHED
  52. 52. RepoTele - PoC
  53. 53. Summary of Malicious Matches ● C2 servers ● Sexual exploitation ● Black markets ● Hacking groups
  54. 54. Malware C2 - Masad Stealer
  55. 55. Malware C2 - Masad Stealer
  56. 56. Malware C2 - Masad Stealer
  57. 57. DarkNet Channel - RAT for Windows
  58. 58. Bot for Buying Stolen Credit Cards
  59. 59. Bot for Ordering Your Perfect Women
  60. 60. Bot for Ordering Drugs
  61. 61. Exposed Telegram API Tokens ● Using forwardMessage ● Full control on Telegram BOT ● Access to history messages
  62. 62. api.telegram.org/bot[API_KEY]:[API_HASH]/forwardMessage? chat_id=123456789&from_chat_id=123456789&message_id=4 Telegram forwardMessage API Abusing
  63. 63. Hack the Hacker
  64. 64. Remediation “api.telegram.org”
  65. 65. Accidentally Sending Commands to Real Users
  66. 66. Accidentally Sending Commands to Real Users
  67. 67. Accidentally Sending Commands to Real Users
  68. 68. Taking out the Trash Abuse@telegram.org
  69. 69. What’s Next? ● Improve my script ● Keep hunting for Telegram abused accounts ● Focus on hunting on threat intelligence websites
  70. 70. THANK YOU ASAF APROZPER @3pun0x asaf@reposify.com github.com/3pun0x/RepoTele

×