Telegram, Discord used as attack launch pad
Threat actors make use of infrastructure of popular messaging apps such as Telegram and Discord to host, launch, and execute a variety of malware attacks.
The malware is used along with easily acquired infostealers to prey on unsuspecting users and steal their credentials, auto-filled data, payment card informations.
Attackers have found success using CDNs like Discord’s to host their malware, which the analysts point out has no restrictions for file hosting.
The links are open to any users without any protection giving threat actors a highly reputable web domain to host malicious payloads. PrivateLoader, Discoloader, Agent Tesla stealer, and Smokeloader are just a few of the malware families found lurking in Discord’s CDN.
An emerging threat group, Astro OTP. It’s actively using Telegram bots to steal one-time-password tokens and SMS message verification codes used for two-factor authentication.
Access to the bot is extremely cheap, a one-day subscription can be bought for $25, with a lifetime subscription available for $300.
Researchers warned that gathering compromised credentials and other information can be a critical precursor to a devastating enterprise attack.
Users to be aware of the security of messaging platforms they use and ahould stay vigilant. Enterprise security teams should take the time to protect against these types of messaging application man-in-the-middle attacks.
This research was conducted and documented by researchers from Intel 471