Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.

Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.

Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.

Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.

“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.

Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.

Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.

Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.

Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.

Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.

Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.

Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.

“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.

Threat actors also are leveraging the cloud infrastructure of messaging apps to host more than legitimate services—they also hide malware in its depths, according to Intel 471.

Discord’s content delivery network (CDN) has been an especially fertile ground for malware hosting since as far back as 2019 because cybercrime operators farce no restrictions when uploading their malicious payloads there for file hosting, researchers noted.

“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” researchers wrote.

Malware families observed using Discord CDN to host malicious payloads include: PrivateLoader, Colibri, Warzone RAT, Smokeloader, Agent Tesla stealer and njRAT, among others.

Cybercriminals also are empowering Telegram bots to do more than offer legitimate features to users, researchers found. In fact, Intel 471 has observed what it calls an “uptick” in services being flogged on the cybercrime underground that provide access to bots that can intercept one-time password (OTP) tokens, which threat actors can weaponize to defraud users.

One bot known as Astro OTP gives threat actors access to both OTPs and short message service (SMS) verification codes, researchers observed. Cybercriminals can control the bots directly through the Telegram interface by executing simple commands, they said.

The current going rate for Astro OTP on hacker forums is US$25 for a one-day subscription or US$300 for a life-time subscription, researchers said.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

Cybercriminals turn to container files and other tactics to get around the company’s attempt to thwart a popular way to deliver malicious phishing payloads.

Newly discovered malware linked to Vietnamese threat actors targets users through a LinkedIn phishing campaign to steal data and admin privileges for financial gain.

Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join thousands of people who receive the latest breaking cybersecurity news every day.

Rob Gurzeev, CEO and Co-Founder of @CyCognito, explores external attack surface soft spots tied to an ever-expandin… https://t.co/fRhHoZNU22

Get the latest breaking news delivered daily to your inbox.

The First Stop For Security News

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.