Built-in Telegram & Discord services are excellent for storing stolen data, hosting malware & using bots for bad purposes.
Cyber-criminals are tapping the built-in services of popular messaging apps like Telegram & Discord as ‘ready-made’ platforms to help them perform their activity in persistent campaigns that threaten users, researchers have found.
New Research
Threat players are tapping the multi-feature nature of messaging apps—in particular, their content-creation & program-sharing components—as a basis for info-stealing, states new research from Intel 471.
They use the apps “to host, distribute, & execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tues.
Remote Work
“While messaging apps like Discord & Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cyber-criminal has a bigger attack surface at their disposal than in past years,” researchers wrote.
Intel 471 identified 3 key ways that threat players are using built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, & using bots that perform their work, they suggested.
Exfiltrated Data
Having a dedicated & secure network to store data stolen from unsuspecting victims of cyber-crime can be costly & time-consuming. So, threat players are using data-storage features of Discord & Telegram as stores for info-stealers that actually depend upon the apps for this aspect of function, researchers have discovered.
Also, new malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, & it is not the only one.
X-Files
Researchers from Intel 471 saw a bot known as ‘X-Files’ that uses bot commands inside Telegram to steal & store data, they stated. When the malware infects a system, threat players can swipe passwords, session cookies, login credentials & credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet & Vivaldi & then put that stolen info “into a Telegram channel of their choosing,” researchers explained.
Another stealer known as Prynt Stealer works similarly, but does not have the built-in Telegram commands, they added.
Platform of Choice
Other stealers use Discord as their messaging platform of choice for storing stolen data.
One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets & passwords, researchers outlined.
‘Webhooks’ are similar to APIs in that they simplify the transmission of automated messages & data updates from a victim’s machine to a particular messaging channel.
Data Storage
Blitzed Grabber & 2 other stealers observed using messaging apps for data storage–—Mercurial Grabber & 44Caliber–also target credentials for the Minecraft & Roblox gaming platforms, researchers added.
“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cyber-crime underground,” researchers noted.
Payload Hosting
Threat players also are using the cloud infrastructure of messaging apps to host more than legitimate services—they also hide malware inside, according to Intel 471.
Discord’s content delivery network (CDN) has been an especially useful source for malware hosting since 2019 because cyber-crime operators face no restrictions when uploading their malicious payloads there for file hosting, researchers noted.
“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” researchers wrote.
Malware families observed using Discord CDN to host malicious payloads include: PrivateLoader, Colibri, Warzone RAT, Smokeloader, Agent Tesla stealer & njRAT etc.
Bots for Fraud
Cyber-criminals also are ‘empowering’ Telegram bots to do more than offer legitimate features to users, researchers found.
Intel 471 has observed what it calls an “uptick” in services being sold on the cyber-crime underground that provide access to bots that can intercept one-time password (OTP) tokens, which threat actors can weaponize to defraud users.
One bot known as Astro OTP gives threat players access to both OTPs & short message service (SMS) verification codes, researchers observed. Cyber-criminals can control the bots directly through the Telegram interface by executing simple commands, they revealed.
The current rate for Astro OTP on hacker forums is US$25 for a 1-day subscription or US $300 for a life-time subscription, researchers concluded.