Phishing Malware That Sends Stolen Information Using Telegram API

by Prapattimynk, Tuesday, 27 February 2024 (2 months ago)
Phishing Malware That Sends Stolen Information Using Telegram API


Last year, AhnLab SEcurity intelligence Center (ASEC) introduced phishing script files that used Telegram to leak user information [1]. Recently, several phishing scripts using Telegram are being distributed indiscriminately through keywords such as remittance and receipts.

Unlike the phishing script files that were distributed in the early days, the latest files are obfuscated to avoid detection. Similar to the past, they are being distributed using various means and tactics such as prompting users to login to open protected files or impersonating the Microsoft login page.

Figure 1. Phishing page

The following is the deobfuscated code, and the threat actor requests users to enter a password consisting of at least five characters in order to steal the password actually in use.

Figure 2. Asking users to enter a password of at least five characters

After entering a password of at least five characters, the malware sends the stolen information to threat actors via the Telegram API. The transferred information consist of email addresses, passwords, IP, and userAgent. The token and Chat ID information are defined in advance to send a message to the threat actors.

Figure 3. Stealing user information

Afterward, the malware redirects users to the legitimate Microsoft website so that the user does not notice the malicious activity.

Figure 4. Redirected website

In addition to the phishing-type malware introduced in this article, AgentTesla malware also used Telegram to steal user information. The use of Telegram to steal user information is on the rise. Furthermore, phishing websites are becoming more sophisticated in their production and distribution. Thus, users must refrain from opening files from suspicious sources and logging into suspicious websites.

[File Detection]
Phishing/HTML.Generic.SC196647 (2024.02.08.00)
Phishing/HTML.Generic.SC196648 (2024.02.08.00)
Phishing/HTML.Generic.SC196649 (2024.02.08.00)
Phishing/HTML.Generic.SC196762 (2024.02.20.00)

[IOC]
52e65857ed34be25c76b54d1c3131abe
6cfff5e65cabf8090ab9aa8b9977f4a8
aae4afd45b38168259268169855562b9
87a0281ced86d15b6a8fc8cf299fd96f

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.