Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.
Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.
Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.
Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.
“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.
Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.
Storing Exfiltrated Data
Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.
Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.
Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.
Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.
Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.
Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.
“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.
Payload Hosting
