A new report from security vendor Intel471 reveals how cybercriminals are using bots already deployed in messaging apps Discord and Telegram to deliver malware and steal user credentials.
In addition, these actors are targeting Roblox and Minecraft gaming platforms in similar attacks. Researchers pointed out that Discord’s content delivery network (CDN) is actively used for hosting malware because the platform doesn’t impose restrictions on file hosting.
The report revealed that these file hosting links are accessible to anyone without requiring authentication. This allows cybercriminals a credible “web domain to host malicious payloads.”
For your information, bots are used on Discord and Telegram so that users can play games, share data, and moderate channels to eliminate unwanted content. However, Intel471’s researchers identified that these can be used for delivering malware.
Some malware strains researchers found deployed in Discord’s CDN include Pay-Per-Install malware (PPI) Discoloader, PrivateLoader, Smokeloader, Agent Tesla, Autohotkey, Raccoon stealer, njRAT and many more.
Bots Stealing User Info from Systems
Researchers explained that threat actors use trojan malware to steal information from devices/systems attached to legit bots in the apps. The malware can steal a wide range of information. This includes the following:
- Autofill data
- Payment card data
- Cryptocurrency wallets
- Browser/session cookies
- Microsoft Windows product keys
- VPN (virtual private network) client logins
It is worth noting that using bots to spread malware on such platforms is nothing new. A report published last year explained how Telegram bots are stealing OTP (One-Time Password).
When it comes to Discord, there are a plethora of reports from cybersecurity companies explaining how one of the most frequently used messenger services in the world is used in spreading malware.
Messaging Apps Have Become Attackers’ C&C Mechanisms
According to Intel471’s report, cybercrooks use messaging apps like Telegram as their Command and Control methods. Through the bot functionality on these platforms, the software can automatically send messages from a device using these apps.
Researchers shared some details on the malware used to steal information. One malware strain, Blitzed Grabber, uses the automated messaging feature called webhooks in Discord for transmitting data.
Another malware bot identified as X-Files lets the attacker control Telegram and send commands to the bot to steal data and send it to any Telegram channel of their choice.
Bots Can Also Steal One-Time-Passwords
As aforementioned, Intel471 also noted that the Astro OTP threat group exploits Telegram bots to steal OTP tokens and SMS verification codes to complete 2FA (two-factor authentication). The attacker can directly control the bot via the Telegram interface through simple commands.
Some bots are available for rent for as low as $25/day and $300 for a lifetime subscription. Stealing credentials through bots can have devastating consequences for enterprises, and malware operators can easily launch Man-in-the-Middle attacks (MiTM).