Researchers at Intel471 had found several malware families that are available to freely download and rely on messaging apps like Telegram and Discord for their functionality. The researchers also discovered several threat actors using these apps to host, distribute and execute functions that allow them to steal credentials or other information from victims.
Apps like Discord and Telegram allow bots on their platforms to help users manage groups and servers and automate moderation tasks. However, these bots also come in handy for cybercriminals as they can reverse engineer the system to host malware and make these apps act as Command and Control centres.
Discord’s continuing malware problem
One freely available information stealer, Blitzed Grabber, uses Discord’s webhooks to store data extracted through malware and then passes it on to the attacker. Such stealers can extract information like autofill data, browser bookmarks, cookies, VPN credentials, payment card information, crypto wallets, OS information and passwords and even the Windows product key.
And that’s not all; several of these information stealers, including Blitzed Grabber, Mercurial Grabber, and 44Caliber, are also capable of stealing credentials for Minecraft and Roblox.
This isn’t the first time the Discord CDN has been used to store and distribute malware. The service has been plagued by hackers for quite some time now. Last year, Discord’s CDN was used for hosting, spreading and controlling malware, including several ransomware variants, game hacks, identity theft malware and even spyware and fake apps for Android phones.
Intel 471 claims their Malware Intelligence collection systems first observed this in 2019. Since then, threat actors and cybercriminals have been using Discord’s CDN to store malware as they seemingly do not face any restrictions. In addition to that, it also gives them a highly reputable web domain to host and spread malicious payloads.
The researchers have observed the following malware families hosted on the Discord CDN.
- Agent Tesla stealer
- Modi stealer
- Raccoon stealer
- Warzone RAT
Telegram targeted by OTP bots
Intel 471 also pointed toward the recent rise of OTP bots sold as a service in several different cybercrime forums.
One of the most prominent examples of these services is the Astro OTP bot, observed by the researchers back in April. The bot allows an attacker to intercept OTPs and SMS verification codes. Allegedly, the bot can be controlled directly through Telegram’s interface using simple commands. Access to the bot is also relatively cheap, costing $25 for a one-day subscription and $300 for lifetime access.
Another Telegram-focussed bot called X-Files bases its functionality on bot commands available inside Telegram. Once loaded on the system, the malware can steal passwords, session cookies, login credentials and even credit or debit card details and send that information to a Telegram channel of the attacker’s choice.
X-Files isn’t the only Telegram-based information stealer out there, either. Researchers also discovered another bot called Prynt Stealer, which functions similarly but doesn’t support built-in Telegram commands.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.