Discord and telegram services hijacked to launch series of cyberattacks
Threat actors have figured out how to use the existing functionality and infrastructure of popular messaging apps such as Telegram and Discord to host, launch and execute a variety of malware, as ongoing dangerous campaigns show.
From bots that enable game and content sharing to robust Content Delivery Networks (CDNs) ideal for hosting malicious files, these platforms are helping to fuel a wave of new attacks, according to the Security Research Team. ‘Intel 471.
Most commonly, the malware is used with easily acquired information thieves to prey on unsuspecting users and steal their credentials, auto-fill data, payment card details, and more.
“Using messaging platforms, such as Telegram and Discord, allows threat actors to hide in plain sight,” John Bambenek, principal threat hunter at Netenrich, told Dark Reading. “A lot of people are already using these apps, so you can’t just block them (although you can block API access to these services in a corporate environment). And there’s no big team administering these platforms, so they are not equipped to monitor channels and servers for criminal use.”
CDNs Abused to Host Malware
Some attackers have had success using CDNs like Discord’s to host their malware, which analysts say has no restrictions for file hosting.
“The links are open to all users without authentication, giving threat actors a highly reputable web domain for hosting malicious payloads,” according to the Messaging Apps Threat Report. PrivateLoader, Discoloader, Agent Tesla stealer, and Smokeloader are just a few of the malware families researchers found in Discord’s CDN.
Telegram Bots Sweeps OTP Tokens
Although the tactic is not new, 471 analysts point to an emerging threat group, Astro OTP. It actively uses Telegram bots to steal one-time password (OTP) tokens and SMS message verification codes used for two-factor authentication.
“The operator could have controlled the bot directly through the Telegram interface by executing simple commands,” the report explains. “Access to the bot is extremely cheap, a one-day subscription can be purchased for $25, with a lifetime subscription available for $300.”
The threat of this tactic lasts well beyond the initial compromise. Intel Team 471 warns that harvesting credentials and other compromised information can be a critical precursor to a devastating enterprise attack.
It’s up to users to be aware of the security of the email platforms they use, the 471 researchers say, adding that enterprise security teams should take the time to protect against these types of email attacks. middle man of messaging apps.
“Whether these actors steal credentials for further sales or circumvent verification codes to gain unauthorized access to a victim’s bank account, the ease with which threat actors can obtain this information should serve as a guide. ‘warning,’ Michael DeBolt, director of intelligence at Intel 471, tells Dark Reading about his research team’s findings. “Security teams should implement multi-factor token-based authentication wherever possible and educate their user base on what possible scams resulting from these automated schemes may look like.”