Criminals are using malicious bots to steal information from victims via the popular Telegram and Discord messaging services, said a report this week. Some bots can be rented for as little as $25 a day.
The bot-based malware steals credentials, including virtual private network (VPN) client logins, payment card information, cryptocurrency wallets, operating system data, passwords and Microsoft Windows product keys, said security company Intel 471. They can also steal session cookies – all sent via a bot that talks directly to these messaging platforms.
The company found criminals using the messaging apps as command and control mechanisms. In a blog post this week, it said that it noticed the use of information stealers on both of these platforms using the bot functionality that allows software to automatically send messages from a computer using these channels.
One malware strain, Blitzed Grabber, uses a feature called webhooks in Discord. A webhook is an automated message that a computer sends when triggered by an event.
Another malware bot, called X-Files, allows its criminal owners to control it inside the Telegram messaging app. They can send commands to the bot via Telegram, directing it to steal data and send it to a Telegram channel they choose.
Bots often steal information from browsers. Some bots also use the Telegram network to steal one-time password (OTP) tokens and SMS verification codes, the company said.
The messaging apps that these bot-based malware strains target have a large consumer audience. Some use the apps to relay data from consumer-only apps like the children’s online gaming platform Roblox and Microsoft’s Minecraft 3D world.
Nevertheless, malware exploiting these apps could form the initial stage of a targeted attack against an enterprise, Intel 471 said. Some businesses do use Telegram and Discord for communications, and in any case, employees might install Telegram or Discord on their machines for personal use.
The criminals are also using the messaging channels’ own networks to host and distribute their malware, according to the Intel 471 analysis. Discord runs its own content distribution network, which attackers use to host malware files, giving them a reputable domain for distribution.