DeepSec 2022 Talk: Malware And Exfiltration : A Telegram Story – Godwin Attigah
Exfiltration and command and control are essential parts of the adversary’s kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.
As a result, several attackers have opted for third-party services typically sanctioned for most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command-and-control tool of choice.
We have observed the usage of Telegram in different malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that is primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets (fiat and crypto): E.g.
Files from personal directories
Direct messaging applications sessions (Telegram, WhatsApp, etc.)
Screenshots (sometimes, live webcam view)
Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, OS X, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.
In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices with using Telegram.
The techniques we discuss include:
Correlating attacker identity to the real world
– Image Correlation
– Username correlation
Message Interception via
Throughout the talk, we provide several samples that use Telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscores the essence of building an enterprise that is aware of the shortcomings of vendor security products and open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.
We asked Godwin Attigah a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Messaging platforms and cloud applications are becoming a hotbed for cybercrime.
- Telegram is the primary choice among these platforms as it provides command-and-control capabilities and a hosting platform for exfiltration.
- The sophistication of threat actors who use Telegram range from entry-level to sophisticated actors.
- We will discuss undetected samples and the actors behind them.
- We will also discuss detection opportunities and mitigations.
Why do you think this is an important topic?
Identifying the different stages of cyber attacks in your environment and what mitigations you can deploy to protect against them is essential. In the talk, we will discuss various attack scenarios, their relevant samples, and relevant mitigations.
Is there something you want everybody to know – some good advice for our readers, maybe?
- Initial compromise, irrespective of the source, should not compromise your enterprise completely. A tiered mitigation approach (defense in depth) results in a lesser impact radius.
- Even though public intel resources such as VirusTotal and OTX are essential, using them as the primary source of truth for the maliciousness of an application could prove disastrous.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
- The rise of malware as a service coupled with malicious use of legitimate applications (such as Telegram) will increase the types of attacks we see against individuals and enterprises.
- Relatively inexperienced attackers will have the capability to perform more sophisticated attacks than before.
Godwin Attigah is a Security Engineer at Google. Before working at Google, they worked at Microsoft’s Cyber Defense Operation Center, where they primarily focused on detecting and managing incidents involving state-sponsored actors. Godwin’s work in security includes reverse engineering, detection engineering, security tool development, statistical modeling, and machine learning. Godwin holds a Masters’s Degree in Computer Science from Johns Hopkins University and a BSc in Mathematics and Computer Science from the University of North Carolina at Chapel Hill.
Godwin works on global issues outside of cybersecurity, including but not limited to reducing global deaths from indoor pollution.