• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
messaging apps tapped as platform for cybercriminal activity

Messaging Apps Tapped as Platform for Cybercriminal Activity

You are here: Home / Latest Cyber Security Vulnerabilities / Messaging Apps Tapped as Platform for Cybercriminal Activity
July 27, 2022

Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.

Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.

Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.

“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.

Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.

Storing Exfiltrated Data

Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.

Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.

Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.

Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.

Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.

Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.

“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.

Payload Hosting

Threat actors also are leveraging the cloud infrastructure of messaging apps to host more than legitimate services—they also hide malware in its depths, according to Intel 471.

Discord’s content delivery network (CDN) has been an especially fertile ground for malware hosting since as far back as 2019 because cybercrime operators farce no restrictions when uploading their malicious payloads there for file hosting, researchers noted.

“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” researchers wrote.

Malware families observed using Discord CDN to host malicious payloads include: PrivateLoader, Colibri, Warzone RAT, Smokeloader, Agent Tesla stealer and njRAT, among others.

Using Bots for Fraud

Cybercriminals also are empowering Telegram bots to do more than offer legitimate features to users, researchers found. In fact, Intel 471 has observed what it calls an “uptick” in services being flogged on the cybercrime underground that provide access to bots that can intercept one-time password (OTP) tokens, which threat actors can weaponize to defraud users.

One bot known as Astro OTP gives threat actors access to both OTPs and short message service (SMS) verification codes, researchers observed. Cybercriminals can control the bots directly through the Telegram interface by executing simple commands, they said.

The current going rate for Astro OTP on hacker forums is US$25 for a one-day subscription or US$300 for a life-time subscription, researchers said.


Some parts of this article are sourced from:
threatpost.com

Previous Post: «equifax eyes increased fraud prevention capabilities with midigator acquisition Equifax eyes increased fraud prevention capabilities with Midigator acquisition
Next Post: Cyber-Criminal Offers 5.4m Twitter Users’ Data Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • CISA Unveils Ransomware Notification Initiative
  • WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
  • GitHub Updates Security Protocol For Operations Over SSH
  • Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
  • Some GitHub users must take action after RSA SSH host key exposed
  • THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps
  • Pension Protection Fund confirms employee data exposed in GoAnywhere breach
  • GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations
  • Now UK Parliament Bans TikTok from its Network and Devices
  • IRS Phishing Emails Used to Distribute Emotet

Copyright © TheCyberSecurity.News, All Rights Reserved.