There have been multiple cases of hackers leveraging Facebook Messenger and WhatsApp, and now Telegram is becoming a preferred target for hackers as evident by the increasing number of abuse cases on the service. Taking advantage of tools and services that are used specifically for communication is not a new trend but is affecting more and more legitimate apps, with Telegram attracting more attention from crooks of all form and proportion.
Why Are Hackers Leveraging Telegram?
Two main reasons:
- For spreading malware and pirated content;
- As a communication channel.
А couple of years ago Christopher Budd of Trend Micro’s Global Threat Communications said that “a simple Google search for ‘hack messaging apps’ brings up more than a million hits, the first of which are how-to guides for targeting these applications and infiltrating them in order to steal information“.
Why are malicious actors using messengers like Telegram for their operations? There are two main reasons for that shift. One is that several popular Dark Web market places such as Hansa Market and Alpha Bay are no longer available. And the second reason is the end-to-end encryption offered by Telegram:
Telegram’s special secret chats use end-to-end encryption, leave no trace on our servers, support self-destructing messages and don’t allow forwarding. On top of this, secret chats are not part of the Telegram cloud and can only be accessed on their devices of origin.
Security researchers have indeed spotted an increase in cybercriminals leveraging Telegram to communicate in a secure and efficient manner. In addition to employing Telegram for communication, criminals have also taken advantage of its API in specific malware distribution campaigns.
A security report recently outlined that cybercriminals are using hosted chat groups on Telegram known as ‘channels’ to broadcast messages to an unlimited number of subscribers. It should be noted that, while the chat messaging history can be viewed publicly, responses to public messaging can be done in a private manner giving cybercriminals more opportunities to conceal their activities. In other words, the messenger enables criminals to have end-to-end encrypted communication while keeping their identities hidden. Interestingly, it turned out that dark web conversations left criminals’ communications exposed.
In these channels, security researchers observed illegal job offers that were color coded with jobs that are dangerous and likely to entail legal risks marked as black, with less threatening jobs marked as gray or white, the report revealed. In addition, advertisements for the sale of stolen documents and hacking tools were also detected. We will provide further details on this later in the article.
Malicious Activities Associated with Telegram
Telegram Exploited in Cryptocurrency Mining Operations
In February, Kaspersky Lab researchers reported a zero-day flaw discovered in the Telegram Desktop app that could be used as an intermediary for hackers wishing to mine Zcash, Fantonmoin, and Monero.
“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service,” the researchers said in their report.
It turned out that the bug has been leveraged in active attacks for at least a year. When successfully exploited, the hackers were able to install a backdoor on compromised hosts via the Telegram API as a command and control protocol, meaning that remote access was granted.
What is more troublesome is that researchers found several scenarios of how the Telegram zero-day could be leveraged. In addition to dropping malware and spyware on infected computers, the flaw was also used to deliver mining software. The researchers also believe that there are more ways to build an attack based on the vulnerability.
Telegram API Exploit by Android Trojan
TeleRAT is the name of the latest Android Trojan that was discovered by researchers at Palo Alto Networks. The Trojan is designed to use Telegram Bot API for communication with its command and control server with the purpose of exfiltrating data.
The malware appears to be created in Iran, or is at least targeting individuals from that country. There are quite a few similarities the researchers found between TeleRAT and IRRAT Trojan, which was also abusing Telegram’s bot API for its communications.
Telegram and WhatsApp Abused to Deliver Malicious Files
Last year an attack was discovered that could be used against WhatsApp and Telegram. The attack carried out by Check Point researchers was based on the way both services process images and multimedia files. It turns out that Telegram is far more difficult to be exploited based on this vulnerability in comparison with WhatsApp. More specifically, the attack against Telegram Web was based on the same idea, but had very different implications for the end user, as clarified by Telegraph.
In the WhatsApp case, Check Point was able to craft a malicious image that would appear normal in preview, but would direct users to a malicious HTML page. Once loaded, the page would retrieve all locally stored data, allowing attackers to efficiently hijack the target’s account.
“By simply sending an innocent-looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user,” Oded Vanunu, head of product vulnerability research at Check Point, explained about the possible attack scenario.
The vulnerability was reported to both services on March 8th last year, and both services changed their file upload validation protocols to safeguard their users against the attack.
Telegram Abused for Malicious Communications
Until the downfall of several infamous Dark Web market places and forums, several steps via the TOR platform were only needed to guarantee an anonymous connection to the Dark Web. However, nowadays things are far easier as any Telegram user can simply join specific channels even on their mobile device, while being completely anonymous.
Some such channels were uncovered by Check Point researchers – such as Dark Jobs, Dark Work and Black Markets, among others. As the names of channels suggest, message exchanges are about illicit job offers and they are color coded. If a job posted in such a channel is dangerous and likely to entail legal risks, it would be marked as ‘black’, whereas less threatening jobs are marked as ‘gray’ or ‘white’, Check Point explained.
However, it should be noted that such channels are not restricted to recruiters and job seekers.
Advertisements for the sale of stolen documents or hacking tools can also be found within these Telegram communications. This fact alone is quite troublesome, considering the accessibility of the channels and the promises of high salaries made to individuals who typically avoid such offers or have no way to reach underground markets. This particular abuse of a service such as Telegram increases the risk of cybercrime growth as the ease of finding such a job becomes bigger even for inexperienced users.
In addition, other illegitimate services in some of Telegram’s darker channels include forging IDs, passports, banking and legal documents. The author of one of the posts even claimed to have connections inside the Russian Traffic Police Department and to be able to issue or update driving licenses of all categories, Trend Micro reported.
Telegram Abused for Piracy
According to The Outline, for much of its existence Telegram has served as a haven for online pirates, granting them the access to illegally shared files provided by the open Internet.
The instant messaging platform, which as of last month is used by more than 200 million users, is riddled with thousands of groups and channels whose sole purpose of existence is to share illegally copied movies, music albums, apps, and other content, the media said.
Apparently, Channel admins haven’t met any resistance from Telegram despite the company’s “zero tolerance” stance on copyright infringement. This indulgence on Telegram’s part has led to the increase of piracy marketplaces on the service.
It appears that these piracy channels, many of which have more than 100,000 members, have been illegally distributing hundreds of movies, television shows, and songs for years, an analysis by The Outline recently discovered. Despite the scope of the piracy issue, Telegram is yet to acknowledge it and has banned only a small number of the offenders.
How does the piracy scheme work?
To understand the scale of Telegram’s piracy issue, look no further than Global Search, a platform feature that is designed to help users discover groups and channels. Looking up innocuous terms such as “movies,” “Hollywood,” “music,” and “Netflix” returns channels that offer content for direct download. For instance, Telegram users who wish to download “Annihilation,” the sci-fi movie that premiered on Netflix earlier this year, can do so by visiting the first channel that appears when they look up “Netflix” in Global Search results.
Telegram is needed a convenient service with plenty of channels. However this convenience also enables malicious actors to take part in cybercrime by allowing them to communicate securely and anonymously. Telegram has been abused as a communication vessel to deliver malware and to spread pirated content across users globally. Telegram and similar applications have indeed become an important part of users but they have also provided cybercriminals with yet another way to proliferate.
Through the use of such encrypted apps, access to malware has become more easier than ever, personal documents and certificates can be distributed to unknown destinations, and pirated content can be spread flawlessly. It seems that Telegram has a lot to do to keep its service away from the hands of ill-intended individuals, if that’s at all possible.