Hackers are using Telegram as a hub for malicious activities
Malware authors are using Telegram as a ready-made command and control (C&C) system
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers have discovered that Telegram’s popularity as an end-to-endencrypted messaging platformhas also made it popular with threat actors.
In anew report, Omer Hofman of cybersecurity companyCheck Pointexplains thatmalwareauthors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious activities, since it offers several advantages compared to conventional web-based malware administration.
Interestingly,Telegramisn’t the only white-label encryption tool that’s been repurposed by threat actors. A recent Sophos research revealed that malware operators are increasinglyshifting to encrypted communications protocolsas well as legitimate cloud services to evade detection.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Click here to start the survey in a new window«
Operational benefits
In his analysis, Hofman notes that Telegram was first used as a malware C&C server in 2017, by operators of the Masad strain. This group is said to have been the first to realize the benefits of using a popular instant messaging service as an integral part of attacks.
Since then, Hofman says, researchers have discovered dozens of malware strains that use Telegram to assist with their malicious activities. Surprisingly, these are offered in a ready-to-weaponize state and are hidden in plain sight in public GitHub repositories.
Over the past three months, Check Point has observed over a hundred attacks that use a new multi-functional remote access trojan (RAT) called ToxicEye, spread via phishing emails that contain a malicious executable.
ToxicEye is also managed by attackers over Telegram, which it uses to communicate with the C&C server and siphon off stolen data.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Hofman’s analysis of ToxicEye reveals that its authors have embedded a Telegram bot into its configuration file. Once a victim has been infected, the bot helps connect the user’s device back to the attacker’s C&C via Telegram.
The bot has been observed to steal data, deploy a keylogger, record audio and video, and can even be made to function likeransomware, encrypting files on a victim’s machine.
Worryingly, Hofman notes that the use of Telegram for such malicious purposes is only going to rise.
“Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” he concludes.
Telegram did not respond immediately to our request for comment.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Red One isn’t perfect but it proves we need more action-packed Christmas movies
