Cybercriminals are increasingly adopting messaging apps, such as Telegram, as a replacement for underground forums. This doesn’t only enable them to secure communications, but also spread malware. Intel 471 has disclosed details about why Telegram has become the next hotspot for threat actors.
Why Telegram?
- Telegram is better for anonymous communication compared to in-forum messaging services always monitored by admins.
- It provides threat actors with almost real-time encrypted communication if both parties are simultaneously online.
- The messaging service allows a user to use the same handle for both private and group communications.
- Furthermore, the bad actor can avoid the need for a domain service or web host that can potentially leave them prone to DDoS attacks.
Why this matters
- Although Telegram lacks a direct payment option, its simple structure provides threat actors an effective method of conducting illicit business.
- Various threat groups use the platform to mobilize operations, provide malware logs, and compromised accounts and stolen data.
Using Discord
In an earlier report, Intel471 stated that apps such as Discord and Telegram enable users to perform several automated tasks. The researchers had spotted various infostealers freely available for download that depend on Discord for its functionalities.
- Blitzed Grabber, one such stealer, leverages Discord webhooks to store data that is pilfered through the malware. Once the malware throws the stolen information back into Discord, threat actors can leverage it for further schemes.
- Multiple attackers use Discord’s CDN to host malware payloads as there are no restrictions. The links are open to any user without authentication, enabling attackers to host payloads on a renowned web domain.
- Some malware families using Discord CDN are Amadey, Racoon Stealer, PrivateLoader, and Agent Tesla, among others.
The bottom line
The sudden shift to Telegram and Discord messaging services highlights the dynamic nature of cybercriminals and the threat landscape. Threat actors will keep changing their business models as they see fit, especially in the case of risks to operational security. The gated nature of communication provided by Telegram has encouraged this move to messaging services instead of in-forum chats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2963_shutterstock_1037670889.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-538811846.jpg)
