Page cover

Telegram Info-Stealer Monitoring

I don't know how to describe this thing called, but I guess it is OSINT

I know Info Stealer Monitoring isn't anything new, so this blog is just my way to rediscover how others people has done it, I'm very grateful that those guys share this knowlegde (some keywords) that I can found it on my own. In this blog I just focus on Telegram only, but it could be the same for webs and forums.

When I write this blog I afraid that if someone know about this could use this information in bad ways, or it could doing something harmful.

Stealer Logs

Stealer or Info Stealer -> Malicious software designed to steal your data and credentials. Success stealer family:

  • Redline

  • Meta

  • Racoon

  • Aurora

  • Vidar

There are a lot of forums, telegram, and discord groups where these threat actors sell data and credentials. Usually, they will provide sample data on their channel to show that the data is legit.

How do I find this stuff?

First of all if not because of this SANS webcast, I could never know about this: https://www.sans.org/webcasts/setting-up-osint-watchdogs-create-free-persistent-monitoring-tools-python/, and exchange information with "Konoha" give me an idea that I could do something like that for myself to, so my journey to find Information Stealer Channels began.

Existing List

By following this list or this list: https://github.com/fastfire/deepdarkCTI/blob/main/telegram.md You can participate in many sources, but the problem is you don’t have the full-time to monitor these chat channels. The need for automation and crawlers is real. (This list is just a starting point for you,; we will develop the OSINT skill to find more channels)

OSINT

I use various search engines to find these channels and invitation links, and from there I can develop more keywords to search for more chat channels.

Tips how to find private, hidden, personal groups and channels - TelegramPrivateChatLeaks In this post there are a few things I like about it

  • About the invitation link of Telegram (the private links)

  • Using google dork, and telegram dork to find channels that private

Combined with the keyword and understanding of the Telegram channel URL we can craft a few dorks to search for these leak channels. There are some basic search queries:

  • site:t.me/joinchat access

  • site:t.me/joinchat logs

  • site:t.me/joinchat txt

  • site:t.me/joinchat

  • intext:t.me/

  • intext:t.me/joinchat {keyword}

  • t.me/joinchat/AAA

  • site:t.me/ {keyword}

Some keywords that might be relevant: redline, logs, cloudlogs, logsfree, free logs, hacking software, rat, ddos, trojan, botnet, infect, virus, spyware, cloud extractor, bltools, pegasus, cve, dcrat, venom, aurora, stealer, free stealer, dropper, binder, blackhat, fud, asyncrat.

I try to build keywords full of this in different languages to wider my results

You can pivot and search for even more Telegram channels from these channels. By using telegram built-in search or using Google search

Automate the crawling process

After I got into quite a few Info Stealer Channels I started to download it manually

-> Well you can be manually crawling for data can't you? Here is the control flow of my script which is drawn by my friends, you should code yourself to learn more and can tweak it if you like (using Telethon):

Using python telethon (which is a python lib used to interact with Telegram, which needs a phone number), we could set a pipeline something like this: Crawl Messages/ Files β†’ Store in Splunk/Elastic DB β†’ Crawl and Search Keywords/ Create Alerts on those datasets β†’ Monitore/ Triage/ Investigate β†’ Report to Customer There are some paid channel that I don’t know that is worth following because you have to pay β†’ defeat the purpose of OSINT Also, the channel doesn’t last for a long time so if the source dies then you will have to find another β†’ that’s why we must find the correlation between each channel, think about it, this type of selling is a market and market will have the same characteristic just like a real-life market, they will have a supplier and a distributor.

Refs:

The flowchart of my script

Why am I detecting a new telegram channel in the URL, it is because some channels will post a link the their new telegram channel or they create a telegram channel to publish their sample leak data, to download those I need to follow that channel quickly and download it before the link expired.

Notes: There are other tools but I like to build my own, well at least for now, maybe I'll switch to these tools soon:

How can we use data leak information?

In these channels, I noticed that there are 2 majority types of data that leak which are:

First is that url:username:password in the form of the text file (they can change the order but most of the time it is username and password), for example:

Telegram messages that media is an text file whihc has url, username, and passwords

Second is that stealer logs which come in compressed files (zip, rar) contain the stolen data that the Stealer has gathered below are the extracted folders from the leaked compressed file

Extracted folder

In those folders are these folder and files, as you can see there are passwords and a lot of information that these stealers can steal you can use this script to parse all the information to a TXT file such as password and username: https://github.com/milxss/universal_stealer_log_parser/tree/main there are a lot of information that can be useful for investigation and statistic but most of the time I find myself using password matching quite a lot

Stealer's stolen data

Alright, so you know what in the play let's talk about how we will use this information and address some of the problems

Build your own breached/stealer logs database

You have ever heard of https://haveibeenpwned.com/ and https://breachdirectory.org/, right? they have a pool of breached data and stealer logs of their own, and you wonder how the hell they have that information and why don't you have it

So this is how you can build your own, by collecting all the sample leaked data.

Problem 1: Duplicate data [Not resolved]

If you ingest this data every day, you will know that it is massive, every day you are dealing with I would say roughly ~25GB to a 100GB, But most of them will have duplicates, which you need to find a way to remove it

Problem 2: Unstructured data [Not resolved]

Not just duplicate data alone, the data is unstructured because of the logs seller copies and pastes the file and something the format is inconsistent across channels, parsing and storing this data won't be easy. Need to dedicate time and human resources to clean this data and store it

Problem 3: Slow search time [Not resolved]

Big data means you can't use a simple grep command or any type of normal line-by-line search, you need indexes and a search engine or something like that, right now I can only of Elasticsearch.

Problem 4: Storage [Not resolved]

You need a data lake and a big hard drive to store all of this data, and also a backup, it would be a system and you can search and store it nicely. Maybe a 10TB SSD is good enough?

Problem 5: Legals?

I don't know about this honestly.

Check for compromised account

A S1mple search query or grep will do it, just search for your company email handle or your email address to verify that you haven't been compromised by Stealers yet.

If you and your friend something notice that someone is trying to log in to your account which triggered 2FA quite a lot that means >80% chance that your account is in this stealer logs -> which you can search for it and confirm it.

Pivot for OSINT investigation

A lot of researchers and investigators leverage this data to unveil a lot of cases, this data is just like the dark art of magic, they have information that the suspect doesn't want to expose such as passwords, machines, computer names, addresses, real email addresses, real name or even what website they access.

-> Investigation is much easier when you have all sorts of this data, most research admits this is more useful than Facebook, Instagram, or any other platform. Using this information is somewhat controversial.

For example:

if you want to have an email address and you want to know what is the real name or want to know this email address has been some use anywhere. Tradition OSINT might not help you, but if you search for it on the Information stealer data that you collect -> you might find the email address with login URL, computer information, geolocation, and probably the password itself.

References and credits

In this section, I'll give you my understanding of these channels during my learning (I just re-learn this knowledge from the best OSINT practitioner around the world) thanks https://twitter.com/matt0177 (Matt Edmondson) for sharing his knowledge. Also Michael Bazzel for the Inteltechniques and many other OSINT practitioners.

Also "N" who together with me built the script, reinvented quite a lot of wheels but it was quite fun and the best part is that we learned something new. I appreciate your help, contributions, and support

Refs

I'll update this list regularly.

What's next

I guess finishing the script and publishing that small script, storing all that data, keep researching on Info Stealer, tracking their C2 infrastructure and deception. To be honest I got a lot of ideas.

Find the relations between telegram channels.

Learn about data breaches and how to obtain them. In this Telegram Monitoring, I'm talking about breaches that much.

Learn more from others.

PreviousOSINT Information MonitoringNextC2 Tracker

Last updated

Was this helpful?