Threat actors have figured out how to use the existing functionality and infrastructure of popular messaging apps such as Telegram and Discord to host, launch, and execute a variety of malware, as shown by ongoing, dangerous campaigns.
From bots that enable games and content sharing, to robust content delivery networks (CDNs) ideal for hosting malicious files, these platforms are helping fuel a surge of new attacks, according to the security research team at Intel 471.
Most often, the malware is used along with easily acquired infostealers to prey on unsuspecting users and steal their credentials, auto-filled data, payment card information, and more.
“Using messaging platforms, such as Telegram and Discord, allows threat actors to hide in plain view,” John Bambenek, principal threat hunter at Netenrich, explains to Dark Reading. “Many people already use these applications so you can’t just block them (though you may be able to block API access to those services in an enterprise environment). And there is no a large team administering those platforms so they are not staffed to monitor channels and servers for criminal misuse.”
CDNs Abused to Host Malware
Some attackers have found success using CDNs like Discord’s to host their malware, which the analysts point out has no restrictions for file hosting.
“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” according to the report on messaging app threats. PrivateLoader, Discoloader, Agent Tesla stealer, and Smokeloader are just a few of the malware families the researchers found lurking in Discord’s CDN.
Telegram Bots Swipe OTP Tokens
Although the tactic isn’t new, 471 analysts point out an emerging threat group, Astro OTP. It’s actively using Telegram bots to steal one-time-password (OTP) tokens and SMS message verification codes used for two-factor authentication.
“The operator allegedly could control the bot directly through the Telegram interface by executing simple commands,” the report explains. “Access to the bot is extremely cheap, a one-day subscription can be bought for $25, with a lifetime subscription available for $300.”
The threat from this tactic lasts far beyond the initial compromise The Intel 471 team warn that gathering compromised credentials and other information can be a critical precursor to a devastating enterprise attack.
It’s up to users to be aware of the security of messaging platforms they use, the 471 researchers say, adding that enterprise security teams should take the time to protect against these types of messaging application man-in-the-middle attacks.
“Whether these actors are stealing credentials for further sales or bypassing verification codes to gain unauthorized access into a victim’s bank account, the ease by which threat actors can obtain this information should serve as a warning,” Michael DeBolt, chief intelligence officer at Intel 471, tells Dark Reading about his research team’s findings. “Security teams should institute token-based multi-factor authentication wherever possible, and educate their user base on what possible scams stemming from these automated schemes can look like.”