Godwin Attigah is a Security Engineer at Google. Before working at Google, they worked at Microsoft's Cyber Defense Operation Center, where they primarily focused on detecting and managing incidents involving state-sponsored actors. Godwin's work in security includes reverse engineering, detection engineering, security tool development, statistical modeling, and machine learning.
Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.
As a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice.
We have observed the usage of Telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets (fiat and crypto): E.g.
Files from personal directories
Direct messaging applications sessions (Telegram, WhatsApp, etc.)
Screenshots(in some cases live webcam view)
Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.
In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram.
The techniques we discuss include:
Correlating attacker identity to the real world
- Image Correlation
- Username correlation
Message Interception via
Throughout the talk, we provide several samples that use Telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.