Researchers on Tuesday reported that cybercriminals are leveraging the bots inside popular cloud-based messaging apps such as Discord and Telegram to spread malware. The bots are used to share media, play games, moderate channels, or any other automated tasks developers can devise. However, in the wrong hands, bad actors can leverage bots to conduct cybercrime.
In a blog post, Intel 471 researchers said bad actors have found ways to use these messaging platforms in conjunction with information stealers to host, distribute, and execute various functions that let them steal credentials from unsuspecting users.
The Intel 471 researchers have found several information stealers that are freely available for download that rely on Discord or Telegram for functionality. One stealer, known as “Blitzed Grabber,” uses the webhooks feature in Discord as a way to store data that’s exfiltrated via the malware. The researchers said once the malware sends the stolen information back into Discord, the bad actors can use it to continue their own schemes or sell the stolen credentials on the dark web.
“Various automation features in popular messaging platforms considerably aide threat actors who are looking for ease-of-use and reliability to conduct their illicit operations,” said Michael DeBolt, chief intelligence officer at Intel 471. “Whether these actors are stealing credentials for further sales or bypassing verification codes to gain unauthorized access into a victim's bank account, the ease by which threat actors can obtain this information should serve as a warning. Security teams should institute token-based multi-factor authentication wherever possible, and educate their users on what possible scams stemming from these automated schemes can look like.”
John Bambenek, principal threat hunter at Netenrich, said one of the recurring problems for cybercriminals has been where to host their malware binaries so victims can download them. Bambenek said they can use compromised infrastructure, but sometimes those sites get cleaned and it requires an ecosystem to find new compromised websites.
“They can use dedicated infrastructure, but threat researchers can identify, block, and take down those servers,” Bambenek said. “Hosting in cloud services make it easy for a class of attackers who don’t want to manage bulk website compromise or operate their own infrastructure. Free services, in particular, means cloud companies are playing whack-a-mole and have a hard time really stopping the problem."