Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/6/2017
02:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Slack, Telegram, Other Chat Apps Being Used as Malware Control Channels

Cybercriminal are abusing third-party chat apps as command-and-control infrastructures to spread their malware.

Third-party chat platforms like Slack, Discord, and Telegram are at risk as cybercriminals use them to create command-and-control (C&C) infrastructure for malware operations.

Researchers at Trend Micro took a closer look at platforms including chat programs, self-hosted chat clients, and social networks to see whether their application programming interfaces (APIs) could be turned into C&C infrastructure. API refers to definitions, protocols, and tools that a program uses to interact and perform specific tasks.

Businesses are ramping up adoption of tools like Slack, which is in use among 77% of Fortune 100 companies, for a couple of key reasons: they're free of charge and include API components so users can integrate core chat services with custom apps. Employees can channel their communication through one app instead of juggling different software.

While free and convenient, these externally hosted tools let hackers operate undetected. The same API that enables communication can be turned into a C&C infrastructure to control malware.

"They're using legitimate services as a way of communicating with their malware and their campaigns against victims," says Mark Nunnikhoven, VP of cloud research at Trend Micro. "Once they've infected your laptop, they're going to want to make sure they're able to send it updates, add commands, and get data off your system."

The idea of attackers exploiting chat platforms isn't new. Hackers in the past used Internet Relay Chat (IRC) to communicate with malware, but IRC use declined as IT admins stopped allowing IRC traffic within the enterprise. Hackers had to find new ways to run C&C servers.

Modern chat services like Discord and Slack let hackers use legitimate domains to fly under the radar. Attackers don't need to break into these apps; they simply use their features to control malware they've implanted on corporate networks.

Trend Micro found both Slack and Discord could be used for C&C. Discord was being used to host malware from key generators and cracks to exploit kits and partners. Telegram has been abused by certain variants of KillDisk as well as TeleCrypt, a strain of ransomware.

Nunnikhoven explains how attackers need only to sign up for one of these services and create an account to connect to their malware. Through the chat feature, hackers can communicate with malware to request access to a user directory, email, or other information.

Attackers who operate via third-party chat systems are primarily trying to steal information or expand their footprint within an organization. Once they gain entry, they will try to broaden their reach as quickly as possible.

"If you're one of one hundred different systems, they can use your system as an attacking point of other systems in the network," he says. "If those systems are configured similarly, they can send messages to tell your laptop to attack other devices."

This form of attack is particularly dangerous because it lets hackers react. Ransomware, for example, looks for specific file types and acts on its own. There isn't as much interaction on the part of threat actors.

"When we see malware used in the command-and-control scenario, attackers can step in and themselves and be far more ruthless because there's a person behind it," says Nunnikhoven. "They can send commands, send virtual attacks to do far more damage.

This C&C infrastructure is also dangerous because it's difficult to distinguish legitimate use of chat apps from malicious activity. Security teams need to look at patterns in the data, and do a deeper level of inspection, to detect if something is wrong.

Businesses need to be aware of how hackers are taking advantage of social platforms. Trend Micro also found threat actors are abusing Twitter and Facebook, as well as services HipChat and Mattermost. Malicious activity extends to other social applications as well. Just recently, three men in Philadelphia were charged in a bank fraud scheme that used Instagram to steal $50,000 from financial organizations.

Nunnikhoven advises businesses to stay secure by using strong endpoint protection, antivirus, and antimalware to prevent infection in the first place. He also recommends strong outbound network control to verify whether traffic is legitimate.

This doesn't mean your team should stop using services like Slack or HipChat, he continues, because they are a communications boost for employees. It simply means you need to understand their benefits and drawbacks.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GabrielaMangini
50%
50%
GabrielaMangini,
User Rank: Apprentice
6/7/2017 | 11:36:36 AM
Just another reason why to use encrypted Messengers
People finally should switch to messengers which are end 2 end encrypted. It think this way it must be a lot harder to use the channels as a way of transporting data. Personally I use Threema which is not very commonly use what means that most likely there is no malware developed. 
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...