Tool For Enumerating Telegram Bot Secret Messages
- Telegram App Installed
- Bot API Key (eg. botXXXXXXXXXX:XXXXXXXXXXXXXXXX-XXXXXXX_XXXXXXX)
- Bot chat_id number that contains secrets
- Python3
Malware campaigns suchs as AgentTesla (as part of C2) and phishing kits will sometimes utilize Telegram Bot API calls to to do the following:
- Send notifications on interaction (Phishing)
- Send phished credentials (Phishing)
- Send keylogger data (Malware)
- Send victim desktop screenshots (Malware)
- Send victim machine cookies/passwords (Malware)
Often these campaigns expose the botid along with their API key. In order for Turncoat to work, we must be able to have access to the 'chat_id' that they are sending their secrets to.
Thanks to the implementation of the 'copyMessage' feature, we can conduct an attack with the following methodology using access to the bot api key:
- Retrieve the bot 'first_name' and 'username' Telegram fields using the 'getMe' request.
- Search for the bot username on Telegram. (Manual Step)
- Send a simple message to the bot in the private chat on Telegram. (Manual Step)
- Retrieve our user accounts 'id' that will be utilized as 'chat_id' for the private converation utilizing the 'getUpdates' request.
- Finally, we will tell the bot to copy whatever quantity of messages from their malware/phishing campaign using 'from_chat_id' to our private 'chat_id' using the 'copyMessage' request.
For this example I will be using a botkey and chat_id from a phishing campaing located on urlscan.io This was chosen to highlight the script features while not exposing sensitive information as this particular campaign is only using the bot for alerting on click through and logging on the phishing page.
- The area highlighted in green will be used as our '--botkey' value in the turncoat.py script.
- The chat_id number in red will be used as our '--dropid' value later in the example when we actually copy the secret messages.
-
Open Telegram and login with the account of your choosing that you want to receive the messages from the bot.
-
In Telegram App, search for @username retrieved. Ensure that the first_name matches as well.
- Start a private chat with the bot
- python3 turncoat.py --botkey {Bot API Key} --getchat
-
'Message From' should display your Telegram username. Copy the 'chat_id', this is your Telegram account id that can be used by bots to send you messages.
-
python3 turncoat.py --botkey {Bot API Key} -t --chatid {Your chat_id from --getchat} --dropid {malware/phishing campaign chat_id with secrets}
- Check Telegram for messages
Additionally, you can specify the offset and count of messages you would like to retrieve.
The default offset is 1 and the default count is 10 messages. There is no simple way to determine the number of messages the bot has in the private chat, but I may look to add this feature in the future.