The increasing popularity of messaging software is due in part to its functionalities that extend beyond delivering messages to recipients.
Apps like Discord and Telegram include core components that enable users to build and exchange programmes and other platform-specific content.
These programmes, often referred to as “bots,” and other material enable users to exchange media, play games, monitor channels, and do any other automated action a developer may concoct.
Cybercriminals have found out how to profit on this vulnerability. Intel 471 has discovered many methods through which fraudsters have used these chat applications to propagate their own malware.
Cybercriminals have devised methods to exploit these platforms to host, distribute, and execute numerous functions that enable them to steal passwords or other information from unsuspecting users. These platforms are primarily used in combination with information stealers.
Automation can be just as harmful as it is useful
Automation minimises time, effort, and expense while decreasing human mistakes, allowing your organisation more time to concentrate on its key goals.
Repetitive chores may be performed more quickly. The elimination of human error via the automation of processes promotes high-quality outcomes, since each activity is executed similarly.
This proves that it’s a no-brainer that automation has many uses within a wide variety of industries. However, it’s not all good as there is a darker side to the world of automation tools, namely within hacking and data theft.
Researchers at Intel 471 have found many openly downloadable information stealers that require on Discord or Telegram for functioning.
One thief, known as “Blitzed Grabber”, utilises the webhooks function of Discord to store data exfiltrated by the virus.
Similar to an API, webhooks provide the sending of automatic messages and data updates from a victim’s computer to a specific messaging channel. Once the virus spits the stolen information back into Discord, cybercriminals may use it to further their own scams or sell the stolen credentials in the cybercrime underworld.
This includes autofill data, bookmarks, browser cookies, VPN client credentials, credit card information, cryptocurrency wallets, operating system information, passwords, and Microsoft Windows product keys.
Several grabbers, including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target Minecraft and Roblox platform credentials.
X-Files is a Telegram-centric bot whose functionality is accessible using Telegram bot commands. Once the malware has been installed on a victim’s computer, criminal actors are able to steal passwords, session cookies, login credentials, and credit card information, sending it to a Telegram channel of their choice. X-Files is compatible with a variety of web browsers, such as Google Chrome, Chromium, Opera, Slimjet, and Vivaldi.
Prynt Stealer is a similar-functioning thief that lacks built-in Telegram instructions.
Researchers at Intel 471 have also identified threat actors misusing the cloud infrastructure used by messaging apps to enable malware-spreading efforts.
Currently, several threat actors exploit the content delivery network (CDN) of Discord to house malware payloads.
Our Malware Intelligence collection systems discovered this method for the first time in 2019, yet several threat actors continue to use it.
It appears that malware operators face no restrictions when uploading malicious payloads to the Discord CDN for hosting. The URLs are accessible to all users without requiring authentication, providing threat actors with a very credible domain for hosting malicious payloads.
Intel 471 has previously detected an increase in cybercrime underground services that let attackers to use Telegram bots to intercept one-time password (OTP) tokens. Malicious actors have continued to construct these services, offering access to them in different cybercriminal forums.
Astro OTP is a bot discovered by Intel 471 researchers in April that enables an operator to collect OTPs and short message service (SMS) verification codes. Supposedly, the operator may operate the bot directly through the Telegram interface with simple instructions.
In popular messaging platforms, automation lowers the barrier of entry for malicious actors. While information stealers by themselves can not inflict as much harm as malware such as a data wiper or ransomware, they might be the initial stage in a targeted assault on a business.
Despite the fact that chat applications like Discord and Telegram are not often used for commercial operations, the growth in remote work combined with the popularity of messaging apps like Discord and Telegram means that cybercriminals have a larger attack surface than in previous years.
The ease with which these information thieves may pivot off of messaging app features and the development of remote employment provide a chance for low-level cybercriminals to practise their abilities, establish their networks, and perhaps transition to future crimes.
Sohela is an electrical engineer and a self-professed writer with a keen interest in all things tech. When she’s not writing killer content pieces, you’ll find her enjoying tempting foods in her favourite restaurants.