Automation tools are popular among users on messaging services like Telegram and Discord. Users that engage in cybercrime are among them.
Message-sending programmes have gained a lot of popularity in part because of features that go beyond simply sending messages to recipients. Users can develop and exchange programmes or other sorts of content that are used inside the platform using the basic components of apps like Discord and Telegram. These applications, also referred to as “bots,” or other content let users share files, play games, manage channels, and perform any other automated action a programmer may think of.
Cybercriminals have discovered a way to take advantage of this for their own selfish gain. Cybercriminals have utilised these messaging apps in a variety of ways to transmit their own malware, according to Intel 471’s observations. Cybercriminals have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with information thieves in order to be able to steal credentials or other information from unwary users.
A repository for stolen data
Researchers at Intel 471 have found a number of information thieves that are openly downloadable and depend on Telegram or Discord to operate.
One stealer, known as Blitzed Grabber, stores data that is exfiltrated by the malware via Discord’s webhooks capability. Webhooks offer a simple way to have automated messages and data updates sent from a victim’s system into a specific messaging channel, much like an API. Actors can utilise the information that the malware spittles back into Discord to further their own scams or to start selling the credentials that were obtained on the dark web.
These thieves are capable of stealing all kinds of data, including operating system details, passwords, Microsoft Windows product keys, virtual private network (VPN) client credentials, bookmarks, browser cookies, and autofill data. Blitzed Grabber, Mercurial Grabber, and 44Caliber are three grabbers that likewise aim to steal login information for the Roblox and Minecraft gaming platforms.
One Telegram-focused bot, called X-Files, includes features that may be accessible through Telegram’s bot commands. Once the malware has been installed on a victim’s computer, criminal actors can take credit card information, login credentials, session cookies, passwords, and more and send it to a Telegram channel of their choosing. Numerous browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files.
Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.
Hiding in the host
Researchers at Intel 471 have also seen threat actors take advantage of messaging apps’ usage of cloud infrastructure to support malware-spreading efforts. Currently, a lot of threat actors host malware payloads on Discord’s content delivery network (CDN). Several threat actors continue to exploit this method, which was initially identified in 2019 by our malware intelligence collecting systems. The Discord CDN for file hosting appears to have no restrictions on the submission of dangerous payloads by malware operators. Without requiring user authentication, the URLs are accessible to all users, allowing threat actors to host harmful payloads to threaten a very trustworthy web domain.
Malware families observed using Discord CDN to host malicious payloads include:
- PrivateLoader
- Discoloader
- Colibri
- Warzone RAT
- Modi stealer
- Raccoon stealer
- Smokeloader
- Amadey
- Agent Tesla stealer
- GuLoader
- Autohotkey
- NjRAT
OTP bots continue to thrive
In the past, Intel 471 has noticed an increase in services on the dark web that let hackers use Telegram bots to try to intercept one-time password (OTP) tokens. These services have continued to be developed by malicious actors, who are selling access to them in various cybercriminal forums.
An operator can collect OTPs and SMS verification codes thanks to the Astro OTP bot, which Intel 471 researchers discovered in April. By entering short commands, the operator allegedly had direct control over the bot through the Telegram interface.
The bot is quite affordable to use; a one-day subscription costs US $25, and a lifetime subscription costs US $300.
An introductory tool for further crimes
The entry barrier for harmful actors is lowered by automation in well-known chat platforms.
Information thieves might be the initial step in initiating a targeted attack against an enterprise, even though they cannot alone cause as much harm as malware like a data wiper or ransomware.
Although messaging services like Discord and Telegram are not often utilised for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.
Due to the ease with which these information thieves can use messaging app capabilities and the increase in remote employment, there is a chance for low-level cybercriminals to practise their skills, forge relationships, and potentially shift to more serious crimes in the future.
