Threat actors reportedly leverage Discord and Telegram bots to spread malware and steal sensitive data from victims. Most of the attacks observed by researchers in this campaign were targeted against two of the most popular gaming platforms, Roblox and Minecraft.
For instance, the content delivery network (CDN) on the Discord platform has been used for hosting malware strains since the app’s developers have not imposed strict protocols on file hosting. Anyone could easily access these file hosting links even without authentication, thus creating a credible domain for cybercriminals to host malicious payloads.
Discord and Telegram bots, by default, are used for playing games, sharing data, and moderating channels for content monitoring. But several threat actors have taken advantage of the bots to deliver malware.
According to researchers, some malware strains spotted on Discord’s CDN are SmokeLoader, Racoon Stealer, PrivateLoader, AutoHotkey, and DiscoLoader, among others. Threat actors also used Trojan malware variants to hack devices and systems and steal data from the victims, including their passwords, banking data, cryptocurrency wallets, browser sessions, bookmarks, autofill data, VPN logins, and Microsoft Windows product keys.
The experts noted that using bots from social platforms, like Discord and Telegram, to spread malware had long been a practice in the cybercriminal landscape. Numerous reports have already been published regarding the two popular platforms being exploited in launching cyberattacks.
Aside from using social platforms for malware propagation, reports reveal that cybercriminals also utilised them for their C2 servers. The bots in these platforms are helpful for the malware operators to exchange messages vital for their cyberattack procedures.
An example is how a malware strain called Blitzed Grabber uses Discord’s automated messaging capability called webhooks to transmit data, while the Xfiles malware aids the operators in controlling Telegram to send commands, like stealing data and sending the collected information to any Telegram channel.
OTPs or one-time passwords are also at risk since the bots can steal them from users. The threat actors could launch some simple commands to make Telegram’s interface bot be directly controlled, including some sophisticated tactics in stealing authentication codes from users to hack into their accounts.