Hackers have utilized these messaging apps in a variety of ways to transmit their own malware, according to Intel 471's research. They have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with data theft in order to be able to steal credentials or other information from unwary users.
According to a recent study from Intel 471, threat actors are using the multifaceted nature of messaging apps — in particular, their content-creation and program-sharing components — as a basis for information stealing.
Tactics & Techniques
Researchers at Intel 471 have found a number of data thefts that are openly accessible and depend on Telegram or Discord to operate.
Additionally, these hackers conduct similar attacks against the Roblox and Minecraft gaming sites. Discord's content delivery network (CDN) is regularly used to store malware, as per researchers, because the platform doesn't place limitations on file storage.
One Telegram-focused botnet, dubbed X-Files, includes features that may be accessible through Telegram's bot commands. Once the malware has been installed on a victim's computer, criminal actors can take credit card information, login credentials, session cookies, and passwords, and send them to a Telegram channel of their choice.
Several browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files. Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.
The following malware families have been seen hosting harmful payloads on Discord CDN:
PrivateLoader, Discoloader, Colibri, Warszone RAT, Modi loader, Raccoon thief, Smokeloader
Amadey, Tesla agent thief, GuLoader, Autohotkey, and njRAT.
Cautions
The entry threat for malicious actors is reduced by automation in well-known chat platforms. Data theft might be the initial step in initiating a targeted attack against an enterprise, even though they can not alone cause as much harm as malware like a data wiper or ransomware.
Although messaging services like Discord and Telegram are not often utilized for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.
