Security researchers have discovered that Telegram’s popularity as an end-to-end encrypted messaging platform has also made it popular with threat actors.
In a new report, Omer Hofman of cybersecurity company Check Point explains that malware authors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious activities, since it offers several advantages compared to conventional web-based malware administration.
Interestingly, Telegram isn’t the only white-label encryption tool that’s been repurposed by threat actors. A recent Sophos research revealed that malware operators are increasingly shifting to encrypted communications protocols as well as legitimate cloud services to evade detection.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Operational benefits
In his analysis, Hofman notes that Telegram was first used as a malware C&C server in 2017, by operators of the Masad strain. This group is said to have been the first to realize the benefits of using a popular instant messaging service as an integral part of attacks.
Since then, Hofman says, researchers have discovered dozens of malware strains that use Telegram to assist with their malicious activities. Surprisingly, these are offered in a ready-to-weaponize state and are hidden in plain sight in public GitHub repositories.
Over the past three months, Check Point has observed over a hundred attacks that use a new multi-functional remote access trojan (RAT) called ToxicEye, spread via phishing emails that contain a malicious executable.
ToxicEye is also managed by attackers over Telegram, which it uses to communicate with the C&C server and siphon off stolen data.
Hofman’s analysis of ToxicEye reveals that its authors have embedded a Telegram bot into its configuration file. Once a victim has been infected, the bot helps connect the user’s device back to the attacker’s C&C via Telegram.
The bot has been observed to steal data, deploy a keylogger, record audio and video, and can even be made to function like ransomware, encrypting files on a victim’s machine.
Worryingly, Hofman notes that the use of Telegram for such malicious purposes is only going to rise.
“Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” he concludes.
Telegram did not respond immediately to our request for comment.
