Suspicious DNS Queries to Telegram Bot API
Detection of DNS queries to api.telegram.org by processes other than telegram.exe indicates potential command and control communication via Telegram bots, a technique leveraged by malware to establish covert communication channels.
This threat brief addresses the use of Telegram bots by malicious actors for command and control (C2) communications. Threat actors leverage Telegram's API to establish covert channels with compromised systems, enabling them to issue commands and exfiltrate data discreetly. The detection focuses on identifying DNS queries to api.telegram.org originating from processes other than the legitimate telegram.exe, which is indicative of unauthorized use of the Telegram API. This technique allows attackers to bypass traditional security measures by utilizing a popular and trusted platform for malicious purposes. Identifying and blocking this activity is crucial to preventing data theft and further compromise. This activity has been observed in malware families like Crypto Stealer, 0bj3ctivity Stealer, and BlankGrabber Stealer.
Attack Chain
- A user unknowingly executes a malicious file (e.g., via phishing or drive-by download).
- The malicious file executes a process (e.g., a script interpreter like
powershell.exeorpython.exe). - This process makes a DNS query to resolve
api.telegram.orgto obtain the IP address of the Telegram Bot API server. - The malicious process establishes a network connection to the resolved IP address on port 443 (HTTPS) to communicate with the Telegram bot.
- The compromised system sends information (system data, credentials, files) to the attacker-controlled Telegram bot.
- The attacker sends commands to the bot, which relays these commands to the compromised system for execution.
- The malicious process executes commands received from the Telegram bot.
- The attacker achieves their objective (e.g., data theft, credential harvesting, lateral movement).
Impact
Successful exploitation can lead to data exfiltration, system compromise, and further propagation of malware within the network. If a compromised system successfully communicates with a malicious Telegram bot, sensitive data can be stolen, and attackers can gain remote control over the infected machine. This can allow attackers to move laterally within the network, compromise additional systems, and ultimately achieve their objectives, such as financial theft or intellectual property theft.
Recommendation
- Deploy the Sigma rule
Detect Suspicious Telegram DNS Queriesto your SIEM to identify unauthorized Telegram API usage (reference:Detect Suspicious Telegram DNS Queries). - Investigate any processes other than
telegram.exethat resolveapi.telegram.org(reference: IOC -api.telegram.org). - Monitor network connections to Telegram's infrastructure from unusual processes (reference:
Detect Suspicious Telegram Network Connections). - Implement network-level blocking of connections to
api.telegram.orgfrom unauthorized systems. - Ensure Sysmon is installed and configured to capture DNS query events (EventID 22) and process creation events.
Detection coverage 2
Detect Suspicious Telegram DNS Queries
highDetects DNS queries to api.telegram.org from processes other than the legitimate Telegram application, which can indicate command and control activity.
Detect Suspicious Telegram Network Connections
mediumDetects network connections to Telegram's infrastructure from unusual processes.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
domain
| Type | Value |
|---|---|
| domain | api.telegram.org |