Telegram, once synonymous with secure messaging, has paradoxically become a tool for cybercriminals who exploit the platform’s strengths to target unsuspecting websites.
Initially celebrated for its commitment to user privacy and security, Telegram is now being misused in ways its creators never intended: as a conduit for controlling malware-infected websites.
The Misuse of Telegram in Website Malware
According to the Sucuri blog, Telegram’s versatility as a messaging app is undisputed, offering numerous features that cater to both privacy and flexibility. Unfortunately, these qualities have attracted cybercriminals.
Attackers often use Telegram to receive notifications about the status of their malware. Once a website is compromised, a Telegram bot can alert the attacker and provide real-time updates about the infected site. This includes alerts when new data is captured, additional malware is successfully implanted, or an administrator interacts with the infected parts of the website.
Data Exfiltration
Telegram bots are frequently configured to exfiltrate stolen data directly to the attacker’s Telegram account. This can include sensitive user information, login credentials, and financial data. The speed and encryption of Telegram ensure that this stolen data is moved quickly and covertly, often bypassing traditional security measures designed to monitor and block suspicious data flows.
Traditionally, malware requires a command and control (C&C) server to receive updated commands and manage infected systems. Telegram provides a stealthier alternative. Through simple messages, attackers can command their deployed malware to download additional components, spread to other network parts, or even initiate a denial-of-service attack. Telegram simplifies the infrastructure required for such operations and reduces the risk of exposing C&C servers to law enforcement and cybersecurity experts.
Telegram’s strong encryption and privacy policies make tracing these activities back to their perpetrators difficult. Attackers hide behind a veil of anonymity, complicating efforts by law enforcement and researchers to track and neutralize threats.
Case Studies
Case Study 1: Monitoring and Notification System
Attackers use Telegram bots to receive real-time notifications about their malware’s status on compromised websites. The malware uses a bot to authenticate via Telegram’s bot_token and then uses chat_id to send the website’s URL, name, and admin email address to a specific chat room where the attacker can collect and use those details.
Case Study 2: Phishing for Credit Card Details
Attackers often use malicious PHP scripts on compromised websites to harvest and send stolen credentials and sensitive data to their servers. Recently, there has been a surge in the use of the Telegram API for data exfiltration. In one instance, a phishing page mimicking DHL, a global courier service, used a Telegram bot to send stolen data to the attacker through a Herokuapp-hosted service.
Case Study 3: Phishing for Login Credentials
Attackers exploited the Telegram API to facilitate a phishing scam, creating a mailer script that used Telegram to transmit stolen data such as addresses, emails, mobile numbers, and IP addresses directly to the attacker. The most frequently detected phishing script with Telegram exfiltration was found in telegram_bot.php files inside various phishing sub-directories.
Case Study 4: Server-side Data Exfiltration
Attackers continually find ingenious ways to steal data from compromised websites. In one notable example, malicious code injected into the wp-login.php file on a WordPress site captured login credentials and sent the stolen data to a Telegram bot.
Why Telegram Attracts Cybercriminals
While other messaging apps like WhatsApp and Signal also offer encryption, Telegram’s unique features make it particularly appealing to bad actors:
- Telegram’s API is more accessible and allows more extensive automation of functions, making it easier for attackers to deploy bots.
- Telegram offers greater anonymity than other platforms, which require a phone number linked directly to a user.
- WhatsApp and Signal encrypt messages but do not offer the same level of anonymity or API flexibility, which are key for orchestrating and managing cyberattacks without revealing identity.
Addressing the Threat
To detect and protect against Telegram-based malware, website administrators can adopt several strategies:
- Regularly analyze network traffic for any connections to Telegram API endpoints, which could signal unauthorized use.
- Check server logs for unusual activities, such as unexpected outgoing connections or unusual data payloads being sent.
- Install advanced website security monitoring that uses anomaly detection algorithms to flag and identify unusual behavior.
- Use a web application firewall and intrusion detection system (IDS) to identify and mitigate threats.
- Regularly keep all systems and software patched with the latest updates to close vulnerabilities that attackers could exploit.
While Telegram is well-known for its secure messaging capabilities, bad actors are exploiting its features to conduct sophisticated attacks on websites. Companies like FireXCore are dedicated to addressing these cybersecurity challenges, seeking ways to prevent abuse of platforms like Telegram without impacting their core principle of privacy.
