Last year, AhnLab SEcurity intelligence Center (ASEC) introduced phishing script files that used Telegram to leak user information [1]. Recently, several phishing scripts using Telegram are being distributed indiscriminately through keywords such as remittance and receipts.
Unlike the phishing script files that were distributed in the early days, the latest files are obfuscated to avoid detection. Similar to the past, they are being distributed using various means and tactics such as prompting users to login to open protected files or impersonating the Microsoft login page.
Figure 1. Phishing page
The following is the deobfuscated code, and the threat actor requests users to enter a password consisting of at least five characters in order to steal the password actually in use.
Figure 2. Asking users to enter a password of at least five characters
After entering a password of at least five characters, the malware sends the stolen information to threat actors via the Telegram API. The transferred information consist of email addresses, passwords, IP, and userAgent. The token and Chat ID information are defined in advance to send a message to the threat actors.
Figure 3. Stealing user information
Afterward, the malware redirects users to the legitimate Microsoft website so that the user does not notice the malicious activity.
Figure 4. Redirected website
In addition to the phishing-type malware introduced in this article, AgentTesla malware also used Telegram to steal user information. The use of Telegram to steal user information is on the rise. Furthermore, phishing websites are becoming more sophisticated in their production and distribution. Thus, users must refrain from opening files from suspicious sources and logging into suspicious websites.
[File Detection]
Phishing/HTML.Generic.SC196647 (2024.02.08.00)
Phishing/HTML.Generic.SC196648 (2024.02.08.00)
Phishing/HTML.Generic.SC196649 (2024.02.08.00)
Phishing/HTML.Generic.SC196762 (2024.02.20.00)
[IOC]
52e65857ed34be25c76b54d1c3131abe
6cfff5e65cabf8090ab9aa8b9977f4a8
aae4afd45b38168259268169855562b9
87a0281ced86d15b6a8fc8cf299fd96f
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Phishing Malware That Sends Stolen Information Using Telegram API appeared first on ASEC BLOG.
Article Link: Phishing Malware That Sends Stolen Information Using Telegram API - ASEC BLOG