The Trend Micro Security Surveillance Microscope introduced the popular chat and social networking platforms Slack, Discord, Telegram, HipChat, Mattermost, Facebook, and Twitter to see if they can be used by attackers for malicious actions such as malware hosting and management, bitcoin mining, data interception, and so on. Let's look at what the results of the survey showed.
According to Trend Micro, several popular instant messaging services and applications such as Slack, Discord, and Telegram can be circumvented by malicious agents and turned into malware management and control infrastructures (C & C).
As everything seems to be, threat factors can become very creative when it comes to Command-and-Control Communications (C & C). Several hacking groups resort to Twitter, and, as recently became known, a hacking group linked to Russia has concealed C & C server addresses in comments posted on Britney Spears' Instagram account.
Trend Micro researchers have explored several popular chat platforms and found that many of them can be targeted by cyber criminals, and several are already being used for malicious activities. These applications are a tempting target for cybercriminals, as they are often used for legitimate purposes, making it even more difficult to detect malicious traffic.
The experts analyzed the Slack co-op tool, the Chatord application, mainly aimed at gamers, the privacy-oriented messenger Telegram, the HipChat messaging platform, Mattermost, Slack's alternative source, Twitter and Facebook.
Developers of this type typically provide several API components that allow interaction with third-party apps and apps (e.g., synchronization with user's calendar to receive notifications directly on the platform interface).
In the case of Slack, the researchers concluded that the platform could be converted to a C & C server, which is not very practical for a large amount of data, as there is an 5GB limit on the upload.
Experts created a PoC demonstrating how Slack can be circumvented to send commands to a bot for listing directories, uploading files, executing system commands as well as capturing screenshots and uploading them to Slack.
Trend Micro has detected some suspicious files that interact with Slack, as well as some malicious Android apps that exploit Slack to intercept and transmit information to attackers.
As for Discord, researchers found that the platform is being used to host malware, including key generators, cracks, exploit kits and injectors. The platform is also used for malicious actions related to Bitcoin mining, as well as malicious software targeting users of the Roblox online platform.
The Telegram, although it requires a valid phone number to create an account, was also found to be vulnerable. A PoC created by Trend Micro shows that the platform can be circumvented to run commands on an infected system and to intercept data. Telegram is also vulnerable to Backdoor TeleBot and Telecrypt Ransomware.
The HipChat API was found to also provide functionality required by malicious C & C servers, while Mattermost seems to be the least appealing for attackers. Facebook may also be circumvented, as recently demonstrated by Zone13 experts, but Trend Micro points out that the social networking platform has good mechanisms for detecting suspicious activity in its users' accounts.