These bots may facilitate automating tasks like gaming, media sharing and the moderation of channels, but they also provide cybercriminals with a platform from which to spread malware. When used in conjunction with information stealers, they lay the groundwork for stealing credentials and other information from victims, according to researchers from Intel 471, who detailed their observations in a blog post.
The information stealers that rely on Discord or Telegram to function are freely available for download. “One stealer, known as Blitzed Grabber, uses Discord’s webhooks feature as a way to store data that is exfiltrated through the malware,” the researchers wrote, explaining that webhooks are much like APIs, providing “an easy way to have automated messages and data updates sent from a victim’s machine into a particular messaging channel.”
When the malware feeds stolen information back into Discord, actors can either use it for their own malicious purposes or sell stolen credentials on the dark web. The stealers are capable of nicking a variety of information types—from autofill data, bookmarks, browser cookies, credentials from virtual private network (VPN) clients and payment card information to cryptocurrency wallets, operating system information, passwords and Microsoft Windows product keys.
“Several of the grabbers, including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target credentials for the Minecraft and Roblox gaming platforms,” the researchers said, calling out one grabber in particular, a Telegram-focused bot known as X-Files, whose functionality can be accessed via bot commands found in the messaging app.
“Once the malware has been loaded onto a victim’s system, malicious actors can swipe passwords, session cookies, login credentials and credit card details, having that information directed into a Telegram channel of their choosing,” they wrote. “X-Files can take information from an array of browsers, including Google Chrome, Chromium, Opera, Slimjet and Vivaldi.”
Intel 471 also spotted another stealer, Prynt Stealer, that acts much like X-Files but does not include built-in Telegram commands.
Threat actors are vigorously using these apps and tapping into the underlying cloud infrastructure to carry out malware campaigns. Many are turning to Disccord’s content delivery network (CDN) to host payloads, a technique first observed by Intel 471 in 2019 and used by many malware families like Warzone RAT, Colibri, Smokeloaderr and Agent Tesla stealer. “Malware operators seemingly do not face any restrictions when uploading their malicious payloads to the Discord CDN for file hosting,” the researchers said. “The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads.”
The researchers monitoring the cybercriminal underground also observed an increase in services that allow attackers to leverage Telegram bots to intercept one-time password (OTP) tokens.
“Malicious actors have continued to build these services, selling access to them in various cybercriminal forums,” they wrote. “One bot Intel 471 researchers observed in April, known as Astro OTP, allows an operator to obtain OTPs and short message service (SMS) verification codes. The operator allegedly could control the bot directly through the Telegram interface by executing simple commands.”
Sweetening the pot: Access to the bot is super cheap; a one-day subscription goes for $25 and a lifetime subscription is $300.
For those who may dismiss the threat to the enterprise from non-enterprise-focused messaging apps, Intel 471’s research is a sobering reminder: “Their popularity, coupled with the rise in remote work, means a cybercriminal has a bigger attack surface at their disposal than in past years. The ease with which these information stealers can pivot off messaging app features and the rise of remote work come together to create an opportunity for low-level cybercriminals to hone their skills, build their relationships and possibly pivot to further crimes in the future.”
Garrett Carstens, director of intel collection management, Americas, at Intel 471, believes the uptick in using messaging apps to launch malware “is a combination of the automation baked into the platforms plus the move away from traditional cybercriminal forums that has led to these platforms being used to launch malware.”
What’s more, because “this malware can be launched from a service that isn’t flagged by endpoint security measures, attackers have a leg up in the formative stages of a more destructive attack, such as ransomware or data extortion,” he said. “This is just the next step in the evolution of threat actors developing ways to obscure their activity.”
Whether the apps will continue to be used for attacks depends “on how Telegram reacts to the influx of cybercriminals using the platform,” said Carstens. “It is possible additional oversight, content moderation and amended platform policies could result in cybercriminals seeking alternative messaging platforms in the future.”
In the meantime, organizations can protect themselves. “While launching these attacks may have changed, the ways to stop them have not,” Carstens noted. “Sticking to cybersecurity hygiene—patching when possible, instituting multifactor authentication, refraining from opening foreign attachments or clicking unfamiliar links—can go a long way in deterring these attacks.”