Security researchers have discovered that Telegram’s popularity as an end-to-end encrypted messaging platform (opens in new tab) has also made it popular with threat actors.
In a new report (opens in new tab), Omer Hofman of cybersecurity company Check Point (opens in new tab) explains that malware (opens in new tab) authors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious activities, since it offers several advantages compared to conventional web-based malware administration.
Interestingly, Telegram (opens in new tab) isn’t the only white-label encryption tool that’s been repurposed by threat actors. A recent Sophos research revealed that malware operators are increasingly shifting to encrypted communications protocols (opens in new tab) as well as legitimate cloud services to evade detection.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
>> Click here to start the survey in a new window (opens in new tab)<<
- Protect your devices with these best antivirus software (opens in new tab)
- Here are the best firewall (opens in new tab) apps and services
- Here’s our collection of the best disaster recovery services (opens in new tab)
In his analysis, Hofman notes that Telegram was first used as a malware C&C server in 2017, by operators of the Masad strain. This group is said to have been the first to realize the benefits of using a popular instant messaging service as an integral part of attacks.
Since then, Hofman says, researchers have discovered dozens of malware strains that use Telegram to assist with their malicious activities. Surprisingly, these are offered in a ready-to-weaponize state and are hidden in plain sight in public GitHub repositories.
Over the past three months, Check Point has observed over a hundred attacks that use a new multi-functional remote access trojan (RAT) called ToxicEye, spread via phishing emails that contain a malicious executable.
ToxicEye is also managed by attackers over Telegram, which it uses to communicate with the C&C server and siphon off stolen data.
Hofman’s analysis of ToxicEye reveals that its authors have embedded a Telegram bot into its configuration file. Once a victim has been infected, the bot helps connect the user’s device back to the attacker’s C&C via Telegram.
The bot has been observed to steal data, deploy a keylogger, record audio and video, and can even be made to function like ransomware (opens in new tab), encrypting files on a victim’s machine.
Worryingly, Hofman notes that the use of Telegram for such malicious purposes is only going to rise.
“Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” he concludes.
Telegram did not respond immediately to our request for comment.
- These are the best endpoint protection tools (opens in new tab)