Messaging Apps Used To Propagate Information-Stealing Malware

Risk:
high
Damage:
high
Platform(s):
Mobile Networks and Telephones
Advisory ID:
ngCERT-2022-0088
Version:
N/A
CVE:
N/A
Published:
August 3, 2022

Summary


Naturally, with the proliferation of messaging apps, some will have gained more traction than others. Discord and Telegram, two of the most popular messaging apps, have a burgeoning community that not only exchanges messages but also develops and shares "bots" - programs that automate a variety of tasks within each platform. Threat actors have exploited this and are now using these platforms to spread information-stealing malware.

Description & Consequence


Threat actors use these apps in a multi-layered manner for their activities. The Content Delivery Network (CDN) of Discord is a file hosting service that allows any type of file to be attached for onward delivery with no authentication required. As a result, Discord has become a haven for malware payloads. Modi Loader, Warzone RAT, Agent Tesla stealer, Amadey, njRAT, and other malicious payloads are currently hosted on Discord CDN. A Telegram bot that can be used to steal one-time passwords (OTPs) and verification codes sent via text messages is available as a MaaS (Malware-as-a-Service). The operator will have full control of the bot with the ability to execute several commands. This bot is known as Astro OTP.

Another Telegram bot, known as X-files, can exfiltrate data from a victim’s system once the malware has been loaded to a Telegram channel chosen by the actor.

Blitzed Grabber is another information-stealer that uses a feature on discord known as webhooks to automate the exfiltration of data from a victim’s system to a messaging channel of the actor’s choosing.

Ultimately, actors are using these platforms as C2 (Command and Control) bases to operate from and collect pilfered user information.

Successful exploits will allow the threat actors access to the following:

  • Passwords
  • Autofill data
  • Debit card information
  • Cookies
  • Cryptocurrency wallet credentials

Solution


  1. Avoid installing untrusted apps.
  2. Keep operating systems, software, and applications current and up to date.
  3. Install and update anti-malware solutions on your devices, and set to automatically update and run regular scans.
  4. Back up data regularly and double-check that those backups were completed.
  5. Always lock devices and ensure to use strong passwords.

Reference


Revision


Related Articles