Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.
Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.
Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.
“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.
Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.
Storing Exfiltrated Data
Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.
Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.
Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.
Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.
Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.
Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.
“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.
Threat actors also are leveraging the cloud infrastructure of messaging apps to host more than legitimate services—they also hide malware in its depths, according to Intel 471.
Discord’s content delivery network (CDN) has been an especially fertile ground for malware hosting since as far back as 2019 because cybercrime operators farce no restrictions when uploading their malicious payloads there for file hosting, researchers noted.
“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” researchers wrote.
Malware families observed using Discord CDN to host malicious payloads include: PrivateLoader, Colibri, Warzone RAT, Smokeloader, Agent Tesla stealer and njRAT, among others.
Using Bots for Fraud
Cybercriminals also are empowering Telegram bots to do more than offer legitimate features to users, researchers found. In fact, Intel 471 has observed what it calls an “uptick” in services being flogged on the cybercrime underground that provide access to bots that can intercept one-time password (OTP) tokens, which threat actors can weaponize to defraud users.
One bot known as Astro OTP gives threat actors access to both OTPs and short message service (SMS) verification codes, researchers observed. Cybercriminals can control the bots directly through the Telegram interface by executing simple commands, they said.
The current going rate for Astro OTP on hacker forums is US$25 for a one-day subscription or US$300 for a life-time subscription, researchers said.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]