Slack, Telegram and Other Chat Apps Being Used as Malware Control Channels
Third party chat platforms like Slack, Discord, and Telegram are in risk as cybercriminals utilize them to create command-and-control (C&C) infrastructure for malware functions.
Researchers at Trend Micro took a closer look at platforms including conversation programs, self-hosted chat clients, and social networks to see whether their program programming interfaces (APIs) could be turned into C&C infrastructure. API refers to definitions, protocols, and tools that a program uses to interact and perform specific tasks.
Companies are ramping up adoption of tools like Slack, which is in use among 77% of Fortune 100 companies, for a couple of key reasons, they’re free of charge and include API components so users can integrate core discussion services with custom programs. Employees can channel their communication through one software rather than juggle different software.
While free and convenient, these externally hosted tools let hackers operate undiscovered. The same API that permits communication can be turned into a C&C infrastructure to control malware.
“They’re using legitimate services s a method of communicating with their malware and their campaigns against victims, says Mark Nunnikhoven, VP of cloud research at Trend Micro. “Once they have already infected your laptop, they’re going to want to make certain they can send it updates, add commands, and get data off your system. ”
The concept of assailants exploiting chat platforms just isn’t new. Hackers during the past used Internet Relay Chat (IRC) to communicate with malware, but IRC uses rejected as IT admins halted allowing IRC traffic within the enterprise. Hackers experienced to find new ways to run C&C server.
Modern chat services like Discord and Slack let hackers use legitimate domain names to fly under the radar. Attackers don’t need to enter these programs, they simply use their features to control malware they’ve implanted on company networks.
Trend Micro found both Slack and Discord could be used for C&C. Discord was being used to host malware from key generators and cracks to use products and partners. A telegram has been abused by certain variants of KillDisk as well as TeleCrypt, a strain of ransomware.
Nunnikhoven explains how attackers only need to sign up for one of these services and create an account to hook up to their malware. Throughout the chat feature, hackers can communicate with malware to request access to a user directory, email, or other information.
Attackers who operate via third-party conversation systems are generally attempting to steal information or expand their footprint within the organization. Once they gain entry, they may try to broaden their reach as quickly as possible.
“If you’re one of one hundred different systems, they can use your system as an attacking point of some in the network, ” he says. “If those systems are configured similarly, they can send messages to share with your laptop to attack other devices. ”
This type of attack is especially dangerous because it allows hackers react. Ransomware, for example, looks for specific file types and functions on its own. Generally, there isn’t as much connection on the part of threat actors.
“When we see malware used in the command-and-control scenario, assailants can step in and themselves and become far more ruthless because you will find a person behind it, ” says Nunnikhoven. “They can send commands, send virtual problems to do far more damage.
This C&C infrastructure also dangerous because it’s difficult to differentiate the legitimate use of conversation programs from malicious activity. Security teams need to look at patterns in the data and do a deeper level of inspection, to find if something is wrong.
Businesses need to be aware of how hackers are taking good thing about social programs. Trend Micro also found threat actors are mistreating Twitter and Facebook, as well as services HipChat and Matter most. Malicious activity extends to other social applications as well. Just recently, 3 men in Philadelphia were charged in a bank fraud scheme that used Instagram of stealing $50, 000 from financial organizations.
Nunnikhoven advises businesses to stay secure by using strong endpoint protection, antivirus, and antimalware to prevent infection in the first place. He also suggests strong outbound network control to verify whether traffic is legitimate.
This will not mean your team should stop using services like Slack or HipChat, this individual continues, because they are communications boost for employees. It simply means you must know their benefits and drawbacks.