Messaging applications have become very popular partly due to their features that go beyond sending messages to recipients. Apps like Discord and Telegram have underlying elements that allow users to create and share programs or other types of content that’s used inside the platform. These programs, colloquially known as “bots,” or other content allows for users to share media, play games, moderate channels, or any other automated task a developer can devise.
Cybercriminals have figured out how to leverage this for their own begotten gains. Intel 471 has observed several different ways cybercriminals have used these messaging apps to spread their own malware. Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users.
A repository for stolen data
Intel 471 researchers have discovered several information stealers that are freely available for download that rely on Discord or Telegram for their functionality.
One stealer, known as Blitzed Grabber, uses Discord’s webhooks feature as a way to store data that is exfiltrated through the malware. Similar to an API, webhooks provide an easy way to have automated messages and data updates sent from a victim’s machine into a particular messaging channel. Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground.
These stealers can pilfer all types of information, including autofill data, bookmarks, browser cookies, credentials from virtual private network (VPN) clients, payment card information, cryptocurrency wallets, operating system information, passwords, and Microsoft Windows product keys. Several of the grabbers, including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target credentials for the Minecraft and Roblox gaming platforms.
One particular Telegram-focused bot, known as X-Files, has functionality that can be accessed via bot commands inside Telegram. Once the malware has been loaded onto a victim’s system, malicious actors can swipe passwords, session cookies, login credentials, and credit card details, having that information directed into a Telegram channel of their choosing. X-Files can take information from an array of browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi.
Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands.
Hiding in the host
Intel 471 researchers have also observed threat actors abusing the cloud infrastructure used by messaging apps to support malware-spreading campaigns. Many threat actors currently use Discord’s content delivery network (CDN) to host malware payloads. Our Malware Intelligence collection systems first observed this technique in 2019, but a variety of threat actors still use it. Malware operators seemingly do not face any restrictions when uploading their malicious payloads to the Discord CDN for file hosting. The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads.
Malware families observed using Discord CDN to host malicious payloads include:
- PrivateLoader
- Discoloader
- Colibri
- Warzone RAT
- Modi loader
- Raccoon stealer
- Smokeloader
- Amadey
- Agent Tesla stealer
- GuLoader
- Autohotkey
- njRAT
OTP bots continue to thrive
Previously, Intel 471 has observed an uptick in services on the cybercrime underground that allow attackers to leverage Telegram bots in an effort to intercept one-time password (OTP) tokens. Malicious actors have continued to build these services, selling access to them in various cybercriminal forums.
One bot Intel 471 researchers observed in April, known as Astro OTP, allows an operator to obtain OTPs and short message service (SMS) verification codes. The operator allegedly could control the bot directly through the Telegram interface by executing simple commands.
Access to the bot is extremely cheap, a one-day subscription can be bought for US $25, with a lifetime subscription available for US $300.
An introductory tool for further crimes
Automation in popular messaging platforms lowers the bar-of-entry for malicious actors. While information stealers alone do not cause the same amount of damage as malware like a data wiper or ransomware, they can be the first step in launching a targeted attack against an enterprise.
While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years.
The ease of which these information stealers can pivot off messaging app features and the rise of remote work come together to create an opportunity for low-level cybercriminals to hone their skills, build their relationships and possibly pivot to further crimes in the future.
