Security researchers have found that Telegram's popularity as an end-to-end encrypted messaging platform has also made it popular with threat actors. In a new report, Omer Hofman of cybersecurity firm Check Point explains that malware authors are increasingly using Telegram as an out-of-the-box command and control (C&C) system for their malicious activities because it offers several advantages over managing malware. traditional malware on the web. . Interestingly, Telegram is not the only white-labeled encryption tool that has been reused by threat actors. A recent Sophos study found that malware operators are increasingly turning to encrypted communication protocols as well as legitimate cloud services to evade detection.
LaComparacion needs you! We're taking a look at how our readers are using VPNs for an upcoming in-depth report. We'd love to hear from you in the survey below. It won't take more than 60 seconds of your time.
Click here to start the survey in a new window
Operational benefits
In his analysis, Hofman notes that Telegram was first used as a C&C malware server in 2017, by operators of the Masad strain. This group would have been the first to realize the benefits of using a popular instant messaging service as an integral part of the attacks. Since then, Hofman says, researchers have discovered dozens of types of malware that use Telegram to aid in their malicious activities. Surprisingly, these come in a ready-to-build state and are hidden from view in the public GitHub repositories. Over the past three months, Check Point has observed more than 100 attacks using a new multifunctional Remote Access Trojan (RAT) called ToxicEye, which spreads via phishing emails containing a malicious executable. ToxicEye is also managed by attackers via Telegram, which it uses to communicate with the C&C server and divert stolen data. Hofman's analysis of ToxicEye reveals that its authors integrated a Telegram bot into their configuration file. Once a victim has been infected, the bot helps connect the user's device to the attacker's C&C via Telegram. The bot has been observed to steal data, implement a keylogger, record audio and video, and can even function as ransomware, encrypting files on the victim's machine. Worryingly, Hofman notes that the use of Telegram for such malicious purposes will only increase. "Etant donné que Telegram peut être utilisé pour distribuer des fichiers malveillants, ou como canal C&C pour les softwares malveillants contrôlés à distance, nous espérons que des oututils supplémentaires qui exploitent cette plate-forme continueront à être developpés à l'avenir", he concluded. He. Telegram did not immediately respond to our request for comment.