CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Popular Chat Platforms Can Serve as C&C Servers: Researchers

Popular chat platforms such as Slack, Discord and Telegram can be abused by malicious actors and turned into command and control (C&C) infrastructure, according to Trend Micro.

Popular chat platforms such as Slack, Discord and Telegram can be abused by malicious actors and turned into command and control (C&C) infrastructure, according to Trend Micro.

Threat actors have been very creative when it comes to C&C communications. Several groups have leveraged Twitter and the Russia-linked group known as Turla was recently spotted hiding the URLs of C&C servers in comments posted on Britney Spears’ Instagram account.

Researchers at Trend Micro have looked at several popular chat platforms and found that many of them can be abused by cybercriminals, and some of them already have. These applications are a tempting target for cybercriminals as they are often used for legitimate purposes, making it more difficult to detect malicious traffic.

Experts analyzed the team collaboration tool Slack, the gaming chat app Discord, the privacy-focused messenger Telegram, the group messaging platform HipChat, the open source Slack alternative Mattermost, Twitter, and Facebook.

The developers of such apps typically provide API components that allow integration with custom and third-party applications (e.g. syncing with the user’s calendar to get notifications on meetings directly in the chat interface).

In the case of Slack, researchers determined that the platform can be turned into a C&C server, but it’s not very practical for exfiltrating large amounts of data given that there is an upload limit of 5 GB.

Experts created a proof-of-concept (PoC) to demonstrate how Slack can be abused to send commands to a bot, including for listing directories, uploading files, executing system commands, and taking screenshots and uploading them to Slack.

Trend Micro has spotted some suspicious files interacting with Slack, but they did not include any malicious routines. Some malicious Android apps have been found to leverage Slack to relay information to attackers, but no threats have been observed abusing the platform to its full potential.

Advertisement. Scroll to continue reading.

Discord is even less practical for exfiltrating data as the maximum size of file uploads is 8 MB. However, researchers did see malware hosted on the platform, including key generators, cracks, exploit kits and injectors. Discord has also been abused in cybercrime operations involving Bitcoin miners and malware that targets users of the online social gaming platform Roblox.

Telegram has also been abused by cybercriminals, despite the fact that, unlike Slack and Discord, it requires a valid phone number to register an account. A PoC created by Trend Micro for Telegram shows that the platform can be abused for executing commands on the infected system and stealing data. In the wild, Telegram has been leveraged by threats such as the TeleBot backdoor and the Telecrypt ransomware.

HipChat’s API also provides functionality needed for a C&C server, but researchers believe Mattermost is less appealing to attackers. Facebook can be abused, as experts from Zone13 recently demonstrated, but Trend Micro pointed out that the social media platform has good mechanisms in place for detecting suspicious activity on accounts.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.