Cybercriminals are turning to messaging apps like Telegram and Discord as alternatives to popular underground forums: not only for the private communications and security features but also as avenues for spreading malware.
Researchers at infosec vendor Intel 471 have been tracking the movement of more than a dozen threat groups that are using the platforms primarily to host and distribute information-stealing malware and to more easily communicate with others in the cybercrime community.
“A combination of simplicity and security found in Telegram has provided a perfect communications hub for attackers: cybercriminals can message others individually or in groups, as well as receive or send large data files,” the researchers wrote in a blog post published on Tuesday.
“Telegram also offers actors the ability to create bespoke channels for specific interests that are not typically active on cyber underground forums. This enables threat actors to conduct criminal operations by forming and joining groups and channels that align with their interests and goals.”
The migration to Telegram and Discord illustrates the dynamic nature of criminal groups and the world in which they operate, according to Garrett Carstens, director of intel collection management at the company.
“Cybercriminals are going to change any and every facet of their operations as they see fit, especially in the face of operational security threats,” Carstens told The Register, adding that some underground forums banned talk of ransomware in the wake of the high-profile Colonial Pipeline and JBS Foods attacks, which brought unwanted scrutiny from the US government.
“Cybercriminals were going to look to find another platform where they could talk about their operations. The gated nature provided by Telegram, combined with the ability to have one-on-one conversations, gives cybercriminals an easier way to communicate, so it’s not surprising they gravitated even more toward this platform.”
In an earlier blog post last week, Intel 471 analysts said that apps like Telegram and Discord enable users to create and share programs and media, play games, and conduct other automated tasks. Cybercriminals are using these bot-like capabilities to run campaigns that enable them to steal credentials and other information from victims.
There are several info-stealers that can be downloaded for free that rely on Telegram or Discord to function, the researchers wrote. The malware steals a range of data, from bookmarks and browser cookies to OS information, passwords, cryptocurrency wallets, and Microsoft Windows Product keys. Several info-stealers, including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target credentials tied to Minecraft and Roblox gaming platforms.
Blitzed Grabber uses Discord’s webhooks feature to store data exfiltrated through the malware that the attackers can use or sell to other criminals. Another, dubbed X-Files, includes functions that can be accessed through bot commands inside Telegram.
“Once the malware has been loaded onto a victim’s system, malicious actors can swipe passwords, session cookies, login credentials, and credit card details, having that information directed into a Telegram channel of their choosing,” the researchers wrote. “X-Files can take information from an array of browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi.”
Prynt Stealer functions in a similar fashion but doesn’t have built-in Telegram commands.
Bad guys like to automate too
Some threat groups also use Discord’s content delivery network to host malware payloads while others leverage Telegram bots to intercept one-time password tokens, according to Intel 471. They also are building services they can sell access to. A one-day subscription to a bot can cost as little as $25, while a lifetime subscription is available for $300.
“Automation in popular messaging platforms lowers the bar of entry for malicious actors,” the researchers wrote. “While information stealers alone do not cause the same amount of damage as malware like a data wiper or ransomware, they can be the first step in launching a targeted attack against an enterprise.”
Telegram also has become a popular choice for anonymous communications, whereas underground in-forum messaging services are monitored by administrators. Telegram offers near real-time encrypted communication if both parties are online at the same time and don’t bring with them that same security risks as underground forums, from a lag time in messaging to a history of compromises and data dumps, Intel 471’s Carstens said.
Cybercriminals also are using the messaging app as a marketplace for stolen information like bank accounts and payment card data and for services like SMS spam.
The embrace by threat groups of Telegram and Discord could be a boon for cybersecurity vendors, Carstens said. He noted that “the most frequent TTPs [tactics, techniques, and procedures] threat actors used in the formative stages of a cyberattack are easier to identify than those in the destructive, latter stages. By watching what actors are discussing on Telegram, security teams and law enforcement can thwart attacks before they begin.”
That said, cybercriminals will continue to use underground forums, some of which offer features like built-in scoring systems used to build reputations. Also, while Telegram has had a “laissez-faire approach to privacy policies,” including refusing to cooperate with law enforcement, the company this year started reinforcing its policy of removing personal data shared on the platform without consent, the researchers wrote.
Whether more threat groups shift their communications to Telegram “will depend on how Telegram reacts to the influx of cybercriminals using the platform,” Carstens said. “It is possible additional oversight, content moderation, and amended platform policies could result in cybercriminals seeking alternative messaging platforms in the future.” ®