Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Sigma rule (View on GitHub)
1title: Telegram API Access
2id: b494b165-6634-483d-8c47-2026a6c52372
3status: test
4description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
5references:
6 - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
7 - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
8 - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
9author: Florian Roth (Nextron Systems)
10date: 2018-06-05
11modified: 2023-05-18
12tags:
13 - attack.defense-evasion
14 - attack.command-and-control
15 - attack.t1071.001
16 - attack.t1102.002
17logsource:
18 category: proxy
19detection:
20 selection:
21 cs-host: 'api.telegram.org' # Often used by Bots
22 filter:
23 c-useragent|contains:
24 # Used https://core.telegram.org/bots/samples for this list
25 - 'Telegram'
26 - 'Bot'
27 condition: selection and not filter
28fields:
29 - ClientIP
30 - c-uri
31 - c-useragent
32falsepositives:
33 - Legitimate use of Telegram bots in the company
34level: medium
References
-
Unit 42 discovers TeleRAT, an Android Trojan abusing Telegram’s Bot API for command and control and data exfiltration.
Read More -
A new ransomware, TeleCrypt appeared recently carrying some new ideas. Telecrypt abuses the API of a popular messenger, Telegram.
Read More -
ESET analyzes the work of TeleBots, a malicious toolset that was used in focused cyberattacks against targets in Ukraine's financial sector.
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- HTTP Request With Empty User Agent
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy