Telegram app on a smartphone showing malware and messaging apps

Hackers Exploit Messaging Apps To Distribute Malware and Store Stolen Data

Intel 417 researchers discovered cybercriminals exploiting popular messaging apps to distribute malware and steal and store data.

Messaging platforms such as Discord and Telegram can interact with active content, allowing users to create programs. These programs allow users to automate tasks such as moderating a messaging channel and sending messages using bots or providing additional functionality such as games.

However, cybercriminals have discovered methods to exploit these features to execute actions allowing them to steal data from users and spread malware.

According to the researchers, malware on messaging apps lowered the entry bar for malicious actors while creating the groundwork for more sophisticated attacks.

Discord and Telegram malware are freely available for download

Intel 471 researchers found several Telegram and Discord malware freely available for download. The malicious programs offer various functionalities allowing attackers to steal and store data on messaging apps.

For example, Discord’s malware Blitzed Grabber used the messaging app’s webhooks to store data. Similar malware on Discord includes 44Caliber and Mercurial Grabber.

Threat actors collect the data from the messaging app and use it to compromise their victims further or sell the stolen credentials to underground criminals.

According to the researchers, these malware variants could steal information, including passwords, security credentials from VPN clients, browser cookies, payment card information,  cryptocurrency wallets, Microsoft Windows product keys, bookmarks, autofill data, and operating system information. Additionally, they can target Minecraft and Roblox games.

Another Telegram bot, X-Files, can be accessed via the messaging app’s commands. The malware allows threat actors to collect passwords, login credentials, session cookies, and credit card details. The malware also targets various browsers, including Chromium, Google Chrome, Opera, Slimjet, and Vivaldi.

Cybercriminals can send stolen information to any messaging channel of their choice. A similar Telegram malware Prynt Stealer uses identical tactics but has no Telegram commands.

Similarly, Intel 471 has observed threat actors distributing sophisticated malware via messaging apps.

For example, attackers were spreading malicious bots such as Astro OTP on Telegram. The malware variant allows cybercriminals to intercept one-time password (OTP) codes used in SMS two-factor authentication (2FA).

The researchers noted that attackers could interact with the bot using simple commands on Telegram’s user interface.

Additionally, the attackers made the bot available to other cybercriminals for a daily subscription of as low as $25 or lifetime access for $300.

“Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” the Intel 471 researchers said in a blog post.

Hackers use messaging apps’ cloud infrastructure to host malware

The researchers discovered that cybercriminals used messaging apps’ cloud infrastructure to support malware campaigns.

For example, they used Discord’s content delivery network (CDN) to host malware payloads.

The researchers observed that the threat actors did not encounter limitations on the type of content they could upload on the messaging app’s platform.

Additionally, the links were accessible to the public without authentication, thus providing the attackers with a reputable domain to distribute malware.

Intel 471 researcher found the following malware hosting malicious payloads on Discord’s CDN infrastructure:

  • Agent Tesla stealer
  • Amadey
  • Autohotkey
  • Colibri
  • Discoloader
  • GuLoader
  • Modi loader
  • njRAT
  • PrivateLoader
  • Raccoon stealer
  • Smokeloader
  • Warzone RAT

However, the listed malware variants were hardly the only ones storing stolen data on messaging apps.

Another research by the threat intelligence firm WithSecure found Ducktail malware that steals data from Facebook storing data on a Telegram channel.

The researchers warned that while businesses rarely rely on Discord, Telegram, and similar messaging apps, the attacks could quickly spread to other platforms.

“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years.”

Additionally, they provided a platform for attackers to sharpen their skills and collaborate with others to launch successful attacks.

“The ease of which these information stealers can pivot off messaging app features and the rise of remote work come together to create an opportunity for low-level cybercriminals to hone their skills, build their relationships and possibly pivot to further crimes in the future.”