Malware Authors Leveraging Telegram-based Command and Control

Malware authors can be increasingly seen using Telegram-based tactics to enhance their malware capabilities. In recent attacks, the trend of using Telegram as a command and control (C&C) system has been picking up traction as compared to a web-based administration panel.

Telegram-based malware control

In October, a security researcher discovered a new remote access trojan named T-RAT being advertised on Russian-speaking underground hacking forums for only $45.
  • The author of the malware claims that using Telegram via smartphone can provide threat actors faster and easier access to infected computers from any location, along with some additional persistence capabilities.
  • With 98 different commands, the RAT could allow threat actors to activate data-stealing features, deploy a keylogger, and a clipboard hijacking mechanism to hijack transactions for payment solutions, such as Qiwi, Yandex Money, Payeer, Ripple, and Dogecoin, via its Telegram channel.

Telegram as a mixed blessing for hackers

Besides using Telegram as a C&C channel, hackers are leveraging various other services, capabilities, or the brand name to carry out espionage campaigns.
  • Last month, some hackers were seen using Telegram bot API as an exfiltration method for transporting stolen data during an active phishing campaign targeting AT&T employees.
  • In the same month, Rampant Kitten - the Iranian APT - was seen leveraging Telegram phishing pages, that were distributed using fake Telegram service accounts, to target its victims.

Closing statement

With Telegram either being used as a lure or being used as a C&C channel for remotely controlled malware, more malware families can be expected to leverage control-by-Telegram capabilities. Thus, experts suggest users remain cautious while using Telegram-based services, and use a strong password and multi-factor authentication to protect their accounts.