Telegram has a complicated relationship with malware. Not only do cybercriminals leverage the messaging app to buy and sell a wide variety of malicious hacking tools and programs, they also abuse the platform as a springboard to launch, execute and disseminate their attacks.

In the previous installments, we discussed some of the most popular illicit items bought and sold by cybercriminals on Telegram. Today, we are going to take a closer look at how threat actors use Telegram to facilitate their cybercriminal operations, taking advantage of the messaging app’s secure and anonymous platform to transact a variety of hacking tools and malware.

Malware Discourse on Telegram

The figure below depicts a segmentation of the discourse surrounding malware on Telegram according to each specific malware category:

Figure 1: Malware Discourse on Telegram 2021

As reflected above, the most prominently discussed malware categories within Telegram’s cybercriminal underground are ransomware, keyloggers and trojans. Let’s take a closer look at the content of these discussions.

Ransomware

Ransomware is a form of malware used by cybercriminals to encrypt data stored in their targets’ devices, rendering files entirely inaccessible to the victim unless a ransom is paid. While a significant portion of ransomware discourse on Telegram emanates from ‘black hat’ actors seeking to deploy it for malicious purposes, surprisingly, ransomware is primarily discussed on the platform within the context of actors seeking to help organizations respond to and recover from a ransomware attack.

Figure 2: Distribution of Ransomware Discourse by Intent

The screenshot below shows a post shared in a “white hat” Telegram channel, offering decryption services to help victims recover their data encrypted by cybercriminals using various variants of high-profile ransomware:

Figure 3: Decryption services offered on ‘white hat’ Telegram channel

In contrast, the second example below is a post advertising a large inventory of malware for sale on a separate Telegram channel, offering several different types of ransomware:

Figure 4: Telegram user sells large inventory of malware

 

Remote Access Trojans (RATs)

Remote Access Trojans are malware disguised as legitimate software programs. Once downloaded and run by an unsuspecting victim, the virus infects the system, gaining access to sensitive data and allowing the attacker to then modify, change, or exfiltrate it for malicious purposes. Unlike normal viruses and worms, Trojan viruses are not designed to self-replicate.

In the post below, an anonymous threat actor advertises a RAT for sale, which offers the option to further expand the RATs attack capabilities by adding backdoors to the infected system:

Figure 5: Telegram user selling RAT with capacity to add backdoors into the infected system

Similarly, in this second RAT-related post, another actor advertises Cypher RAT malware for sale, designed to target and control Android devices.

Figure 6: Telegram user sells ‘Cypher RAT’ designed to target Android devices

Telegram’s platform is not only used by threat actors as a medium to buy and sell RAT programs, but also as a means to distribute trojans and infect target devices.

Echelon malware, for example, is a malicious ‘infostealer’ software that abuses the auto-download functionality of many messaging and file-sharing platforms, including Discord, Edge, FileZilla, OpenVPN, Outlook and Telegram, to infect victims’ devices and steal vast quantities of data from the compromised system, including autofill-enabled login information and account credentials for cryptocurrency wallets. Predominantly disseminated via bot through Telegram channels and chats, Echelon constitutes a prime example of cybercriminal exploitation of Telegram’s platform not only as a vector for communication and collaboration, but as a medium through which to execute their attacks.

Like Echelon, the ToxicEye RAT also has a special relationship with Telegram. Since its inception in 2018, ToxicEye has been a highly popular underground commodity, widely shared across the cybercriminal community in dark web forums and messaging channels alike. The RAT is spread via phishing emails containing a malicious .exe file. Upon opening the attachment, ToxicEye installs itself on the victim’s device, allowing the attacker to encrypt, delete, or exfiltrate files and run or terminate applications. ToxicEye is a truly Telegram-native RAT, leveraging the messaging app’s platform as its command and control (c2) server. After harvesting troves of sensitive information, the exfiltrated data is then delivered via the Telegram bot to the attacker’s command center. This innovative use of Telegram as an ‘out-of-the-box’ command and control infrastructure for malware distribution significantly reduces the level of technical expertise and sophistication required to launch such an attack, thereby lowering the barriers to entry for aspiring attackers seeking to break into the malware enterprise.

Keyloggers

Keyloggers are malicious tools designed to record a victim’s keystrokes on an infected device, used to capture sensitive information including passwords, PIN codes, credit card numbers, browsing data, and personal information – all of which can then be used to commit financial fraud, identity theft, account takeover attacks, and various other additional malicious activities. Many keyloggers can be found for sale on Telegram.

In this example below, a Telegram user peddles the source code for a keylogging malware, along with a stealer (data exfiltrator) and clipper (clipboard extractor):

Figure 7: Telegram user advertises all-in-one stealer, clipper and keylogger malware

Similarly, in this second example, an anonymous threat actor advertises the Void Logger keylogging tool for sale, with features including logging keystrokes, browser activity, and passwords:

Figure 8: Telegram user peddles the ‘Void Logger’ keylogging malware

Other Malware

The two final posts below highlight the impressive diversity of malware types available for sale on Telegram. 

In the post depicted below, a threat actor offers a HTTP botnet for sale, called Ro3b. According to the vendor, this botnet facilitates various malicious activities on an infected device, including remote code execution, the exfiltration of credit card information, the deployment of ransomware, and more:

Figure 9: Telegram user advertises Ro3b HTTP botnet for sale

Finally, in the post below, another Telegram user shares a link hosting a pack of hacking tools, including a virus builder, SQL injector, worm generator, port scanner, and several other tools:

Figure 10: Telegram post advertising a pack of hacking tools

Conclusion

The malware transacted on Telegram is as bountiful as it is diverse. Protected by layers of encryption and anonymity, Telegram provides a highly effective platform for cybercriminals to conduct quick and covert transactions to buy and sell a wide variety of malicious programs. However, as illustrated above, Telegram’s relationship with malware is complicated, with threat actors often abusing the messaging app’s platform to actually launch, execute and disseminate their attacks. Indeed, if a researcher wants to fully understand the breadth of malicious tools available on the underground, they ought to pay very close attention to developments on Telegram.