{"id":66273,"date":"2024-05-31T10:44:26","date_gmt":"2024-05-31T10:44:26","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=66273"},"modified":"2024-05-31T10:44:58","modified_gmt":"2024-05-31T10:44:58","slug":"telegram-know-secure-messaging","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/telegram-know-secure-messaging\/","title":{"rendered":"Telegram Know For Secure Messaging, Now Became A Tool For Cybercriminals"},"content":{"rendered":"\n

Telegram, synonymous with secure messaging, has paradoxically become a tool for cybercriminals who abuse the platform’s strengths to target unsuspecting websites.<\/a><\/p>\n\n\n\n

Once known for its commitment to user privacy and security, this popular messaging platform is now used in ways its creators never intended: as a conduit for controlling malware-infected websites.<\/p>\n\n\n\n

The Misuse of Telegram in Website Malware<\/strong><\/h2>\n\n\n\n

According to the Sucuri blog<\/a>, Telegram\u2019s versatility as a messaging app is undisputed: the app has numerous features that cater to both privacy and flexibility.<\/p>\n\n\n\n

However, these qualities have attracted a less savory user base \u2014 cybercriminals.<\/p>\n\n\n\n

One of the primary ways attackers use Telegram is to receive notifications about the status of their malware. <\/p>\n\n\n\n

Once a website is compromised, a Telegram bot can alert the attacker and provide real-time updates about the infected site.<\/p>\n\n\n\n

This includes alerts when new data is captured, additional malware is successfully implanted, or an administrator interacts with the infected parts of the website.<\/p>\n\n\n\n

Data Exfiltration<\/strong><\/h2>\n\n\n\n

Telegram bots are often configured to exfiltrate stolen data directly to the attacker\u2019s Telegram account. <\/p>\n\n\n\n

This can include sensitive user information, login credentials, and financial data. <\/p>\n\n\n\n

All-in-One Cybersecurity Platform<\/strong> for MSPs to provide full breach protection with a single tool, Watch a Full Demo<\/a><\/code><\/p>\n\n\n\n

The speed and encryption of Telegram ensure that this stolen data is moved quickly and covertly, often bypassing traditional security measures designed to monitor and block suspicious data flows.<\/p>\n\n\n\n

Traditionally, malware requires a command and control (C&C) server to receive updated commands and to manage the infected systems. Telegram provides a stealthier alternative. <\/p>\n\n\n\n

Through simple messages, attackers can command their deployed malware to download additional components, spread to other network parts, or even initiate a denial-of-service attack.<\/p>\n\n\n\n

Telegram simplifies the infrastructure required for such operations and reduces the risk of exposing the C&C servers to law enforcement and cybersecurity experts.<\/p>\n\n\n\n

Telegram\u2019s strong encryption and privacy policies mean tracing these activities back to their perpetrators is difficult.<\/p>\n\n\n\n

Attackers hide behind the veil of anonymity, complicating efforts by law enforcement and researchers to track and neutralize threats.<\/p>\n\n\n\n

Last year, our research team found numerous malware infections leveraging Telegram in their website attacks. <\/p>\n\n\n\n

We cleaned over 11,000 malicious files from over 290 infected websites related to this malware.<\/p>\n\n\n\n

Case Studies<\/strong><\/h2>\n\n\n\n

Case Study 1: Monitoring and Notification System<\/strong><\/p>\n\n\n\n

We occasionally find attackers using Telegram<\/a> bots to receive real-time notifications about their malware\u2019s status on compromised websites, including alerts on new data capture, additional malware implants, and administrator interactions.<\/p>\n\n\n\n

\"Telegram
Telegram monitoring and notification system<\/figcaption><\/figure>\n\n\n\n

The malware uses a bot to authenticate via Telegram\u2019s bot_token and then uses chat_id to send the website\u2019s URL, name, and admin email address to a specific chat room where the attacker can collect and use those details.<\/p>\n\n\n\n

Case Study 2: Phishing for Credit Card Details<\/strong><\/p>\n\n\n\n

Attackers often use malicious PHP scripts on compromised websites to harvest and send stolen credentials and sensitive data to their servers. <\/p>\n\n\n\n

However, due to its encrypted messaging service, we\u2019ve recently seen a surge in the use of the Telegram API for data exfiltration.<\/p>\n\n\n\n

\"Fake
Fake DHL Phishing – Credit Card Form<\/figcaption><\/figure>\n\n\n\n

During an investigation, we encountered a phishing page mimicking DHL, a global courier service. <\/p>\n\n\n\n

The fake page was designed to look like a legitimate DHL tracking page with similar colors, fonts, and styles.<\/p>\n\n\n\n

Whenever a form submission occurs on any of the steps, JavaScript gathers the data and sends it to the Telegram bot through a Herokuapp-hosted service.<\/p>\n\n\n\n

This approach allows the attackers to leverage the legitimate Roku service to avoid detection, marking a sophisticated evolution in phishing techniques.<\/p>\n\n\n\n

Case Study 3: Phishing for Login Credentials<\/strong><\/p>\n\n\n\n

In another recent example, attackers exploited the Telegram API to facilitate a phishing scam. <\/p>\n\n\n\n

They created a mailer script that used Telegram to transmit stolen data such as addresses, emails, mobile numbers, and IP addresses directly to the attacker.<\/p>\n\n\n\n

\"Telegram
Telegram monitoring<\/figcaption><\/figure>\n\n\n\n

The most frequently detected phishing script with Telegram exfiltration was found in telegram_bot.php files inside various phishing sub-directories. <\/p>\n\n\n\n

This method of communication streamlines the process of collecting and exploiting sensitive user information and allows the attacker to get instant notifications so they can use the stolen credentials before any suspecting user has a chance to change them or their organization detects any suspicious activity.<\/p>\n\n\n\n

Case Study 4: Server-side Data Exfiltration<\/strong><\/p>\n\n\n\n

Attackers are continually finding ingenious ways to steal data from compromised websites. <\/p>\n\n\n\n

In recent years, attackers have been exploiting communication systems like the Telegram API for data exfiltration from the website\u2019s server.<\/p>\n\n\n\n

This allows attackers to send stolen data<\/a> directly to a bot, making detection more challenging and providing real-time access to the compromised information.<\/p>\n\n\n\n

\"Malware
Malware injected in wp-login PHP file on WordPress site<\/figcaption><\/figure>\n\n\n\n

One notable example involves an attack on a WordPress site where malicious code was injected into the wp-login.php file. <\/p>\n\n\n\n

This code captured login credentials each time a user attempted to log in and sent the stolen data to a Telegram bot.<\/p>\n\n\n\n

While other messaging apps like WhatsApp and Signal also offer encryption, Telegram\u2019s unique features make it particularly appealing to bad actors:<\/p>\n\n\n\n