Suspicious DNS Queries to Telegram API by Non-Telegram Processes

This alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram’s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.

Attack Chain

1. A user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).
2. The malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).
3. The malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.
4. The malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.
5. The attacker sends commands to the bot, which are relayed to the compromised system.
6. The malware executes the received commands, potentially including data exfiltration or further malicious actions.
7. The malware exfiltrates sensitive data to the attacker via the Telegram bot.
8. The attacker maintains persistent access and control over the compromised system via the Telegram bot.

Impact

Compromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.

Recommendation

• Deploy the Sigma rule Detect Suspicious Telegram DNS Queries to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.
• Investigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.
• Block the domain api.telegram.org at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.
• Enable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.
• Update Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.