Posted on April 25, 2021 at 8:07 AM
Hackers are using Telegram as a platform to conduct malicious activities given its end-to-end encryption. Threat actors are exploiting Telegram because it offers better features compared to traditional malware administration websites.
Security firms have released research that shows increased use of Telegram by hackers. The hackers are exploiting the end-to-end messaging platform to conduct several malicious activities. Hackers are also shifting to other encrypted communication platforms and cloud services to carry on their activities,
A report that Check Point, a Cybersecurity company, released shows that threat actors are using the messaging platform as a ready-made command and control (C&C) system for their activities. Telegram offers superior features compared to websites that provide malware administration.
Using Telegram as a malware C&C Server
The research conducted by Check Point also shows that hackers started looking into using Telegram’s as a malware C&C server back in 2017. Actors behind the Masad Strain conducted the first exploit. The actors are believed to be the first to discover the advantages of using encrypted messaging platforms to launch attacks.
After the discovery, the report reveals research details showing multiple malware strains that have been developed on Telegram. Actors have used the malware strains to perform malicious activities. The strains created on the platform are ready to launch, and they are listed in public GitHub repositories.
Check Point conducted its research for three months in which it uncovered more than a hundred attacks that exploited a new remote access Trojan (RAT), ToxicEye, that can be used for multiple purposes. The Trojan is used to send phishing emails to unsuspecting individuals. Threat actors on Telegram also use the Trojan to link to the C&C Server and extract stolen information.
Further analysis of ToxicEye by Check Point also shows that its authors have implanted a Telegram bot. The bot links up an infected user device and the C&C server of the attacker through Telegram.
Check Point also noted that the bot could be used for other functions, including stealing user data, deploying a keylogger, and accessing storage and recording functionalities. The bot can also be used as ransomware, where it encrypts the details of a user’s device and demands payment from the user for their data to be unlocked.
A rise in future threats
Omer Hofman, the author of the report published by Check Point, also affirms that the use of Telegram by malicious actors will increase in the future. This increase will be attributed to the platform is gaining more users by the day thereby increasing the number of victims who will fall prey to the malicious strategies established by the hackers.
Hofman also noted that the capability of Telegram being exploited as a C&C malware server and for distributing malicious files would only mean that actors will start looking for new features to exploit in the future. This capability will only mean that the threat levels on the platform will rise in the future.
Telegram has, however, failed to respond to the allegations that have been tabled under this report. However, the issue at hand needs to be addressed with haste lest it becomes too big to handle. Managing the threat actors’ exploitation of the C&C server at this level will ensure that the magnitude of future threats is reduced. It will also protect the users of this messaging platform.