Cybercriminals are turning to messaging apps like Telegram and Discord as alternatives to popular underground forums: not just for private communications and security features, but also as ways to spread malware.
Researchers at infosec provider Intel 471 have tracked the movements of more than a dozen threat groups that use the platforms primarily to host and distribute information-stealing malware and to communicate more easily with others. members of the cybercriminal community.
“A combination of simplicity and security found in Telegram provided a perfect communication hub for attackers: cybercriminals could send messages to others individually or in groups, as well as receive or send large data files,” the authors wrote. researchers in a blog post published on Tuesday.
“Telegram also offers actors the ability to create tailored channels for specific interests not typically active in underground cyber forums. This allows threat actors to conduct criminal operations by forming and joining groups and channels that match their interests and goals.”
The migration to Telegram and Discord illustrates the dynamic nature of criminal groups and the world in which they operate, according to Garrett Carstens, director of information collections management at the company.
“Cybercriminals will change every facet of their operations as they see fit, especially in the face of operational security threats,” Carstens said. The registeradding that some underground forums have banned talking about ransomware following the high-profile attacks by Colonial Pipeline and JBS Foods, which drew unwanted scrutiny from the US government.
“Cybercriminals were going to look for another platform where they could talk about their operations. The closed nature provided by Telegram, combined with the ability to have one-on-one conversations, gives cybercriminals an easier way to communicate , so it’s no surprise they were gravitating towards that platform even more.”
In a previous blog post last week, Intel 471 analysts said apps like Telegram and Discord allow users to create and share programs and media, play games, and perform other automated tasks. Cybercriminals use these bot-like capabilities to run campaigns that allow them to steal victims’ credentials and other information.
There are several freely downloadable information thieves that rely on Telegram or Discord to operate, the researchers wrote. The malware steals a range of data, from browser bookmarks and cookies to operating system information, passwords, cryptocurrency wallets and Microsoft Windows product keys. Several infostealers, including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target credentials related to Minecraft and Roblox gaming platforms.
Blitzed Grabber uses Discord’s webhooks feature to store data exfiltrated via malware that attackers can use or sell to other criminals. Another, dubbed X-Files, includes functions accessible via bot commands in Telegram.
“Once the malware has been loaded onto a victim’s system, malicious actors can scan passwords, session cookies, login credentials and credit card details, with this information directed to a Telegram channel of their choice,” the researchers wrote. “X-Files can take information from an array of browsers, including Google Chrome, Chromium, Opera, Slimjet and Vivaldi.”
Prynt Stealer works the same way but has no built-in Telegram commands.
Bad guys also like to automate
According to Intel 471, some threat groups also use Discord’s content delivery network to host malware payloads, while others exploit Telegram bots to intercept one-time password tokens. They also create services to which they can sell access. A one-day subscription to a bot can cost as little as $25, while a lifetime subscription is available for $300.
“The automation of popular messaging platforms lowers the bar of entry for malicious actors,” the researchers wrote. “Although information thieves alone do not cause the same amount of damage as malware such as a data eraser or ransomware, they can be the first step in launching a targeted attack against a business. .”
Telegram has also become a popular choice for anonymous communications, while underground messaging services in forums are monitored by administrators. Telegram offers near real-time encrypted communication if both parties are online at the same time and does not bring the same security risks as underground forums, from a delay in messaging to a history of compromises and dumps. data, Intel’s Carstens 471 said.
Cybercriminals also use the messaging app as a marketplace for stolen information such as bank accounts and payment card data and for services such as SMS spam.
Adoption by threat groups from Telegram and Discord could be a boon for cybersecurity vendors, Carstens said. He noted that “the most frequent TTPs [tactics, techniques, and procedures] Threat actors used in the formative stages of a cyberattack are easier to identify than those in the later destructive stages. By monitoring actors’ chats on Telegram, security teams and law enforcement can thwart attacks before they begin.”
That said, cybercriminals will continue to use underground forums, some of which offer features such as built-in rating systems used to build reputation. Additionally, while Telegram has taken a “laisser-faire approach to privacy policy”, including refusing to cooperate with law enforcement, the company began this year to strengthen its data deletion policy. shared on the platform without consent, the researchers wrote.
Whether more threat groups shift their communications to Telegram “will depend on how Telegram reacts to the influx of cybercriminals using the platform,” Carstens said. “It is possible that additional monitoring, content moderation and changed platform policies will lead cybercriminals to seek out alternative messaging platforms in the future.” ®
