To start the process of collecting threat actor’s Chat ID and bot token, the analysts found a relevant malware sample related to the domain “api.telegram.org” using ANY.RUN’s Threat Intelligence Lookup. The sandbox also allowed researchers to view the server’s response, which contained useful information in JSON format, including chat_id, bot username, bot name, chat name, and chat type. After discovering a sample, the analysts once again detonated it in the sandbox to observe all the requests directed to api.telegram.org to examine its interaction with Telegram’s API. After analyzing the malware’s POST requests, the analysts collected case, the bot token (a key used for authentication) and the chat_id (which identifies the recipient chat). The service includes a searchable database of threat data collected from millions of analysis sessions performed in the ANY.RUN sandbox.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Oct 2024 16:15:10 +0000