Malicious actors exploit popular cloud-based messaging apps to launch malware

A close-up view of the Telegram messaging app seen on a smartphone. (Photo by Carl Court/Getty Images)

Cybercriminals are exploiting bots in popular cloud-based messaging apps such as Discord and Telegram to distribute malware, researchers reported on Tuesday. Bots are used to share media, play games, moderate channels, or any other automated task that developers may devise. However, in the wrong hands, bad actors can take advantage of bots to carry out cybercrimes.

In a blog post, Intel 471 researchers said bad actors have found ways to use these messaging platforms in conjunction with information thieves to host, distribute, and perform various functions that allow them to steal credentials from unsuspecting users.

Intel 471 researchers have found several information thieves available for free download that rely on Discord or Telegram for their functionality. A thief, known as “Blitzed Grabber”, uses Discord’s webhooks feature to store data exfiltrated via the malware. The researchers said that once the malware sends the stolen information back to Discord, bad actors can use it to further their own schemes or sell the stolen credentials on the dark web.

“Various automation features in popular messaging platforms greatly assist threat actors who seek ease of use and reliability to conduct their illicit operations,” said Michael DeBolt, director of intelligence at Intel 471 sales. or bypassing verification codes to gain unauthorized access to a victim’s bank account, the ease with which hackers can obtain this information should serve as a warning. Security teams should implement token-based multi-factor authentication wherever possible and educate their users on what possible scams resulting from these automated schemes may look like.

John Bambenek, principal threat hunter at Netenrich, said one of the recurring problems for cybercriminals is figuring out where to host their malicious binaries so that victims can download them. Bambenek said they can use compromised infrastructure, but sometimes these sites get cleaned up and it requires an ecosystem to find new compromised websites.

“They may use dedicated infrastructure, but threat researchers can identify, block, and take down these servers,” Bambenek said. “Hosting in cloud services makes it easier for a class of attackers who don’t want to deal with mass website compromise or run their own infrastructure. Free services, in particular, mean cloud companies are playing the mole game and struggling to really stop the problem.”