Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Popular Chat Platforms Can Serve as C&C Servers: Researchers

Popular chat platforms such as Slack, Discord and Telegram can be abused by malicious actors and turned into command and control (C&C) infrastructure, according to Trend Micro.

Popular chat platforms such as Slack, Discord and Telegram can be abused by malicious actors and turned into command and control (C&C) infrastructure, according to Trend Micro.

Threat actors have been very creative when it comes to C&C communications. Several groups have leveraged Twitter and the Russia-linked group known as Turla was recently spotted hiding the URLs of C&C servers in comments posted on Britney Spears’ Instagram account.

Researchers at Trend Micro have looked at several popular chat platforms and found that many of them can be abused by cybercriminals, and some of them already have. These applications are a tempting target for cybercriminals as they are often used for legitimate purposes, making it more difficult to detect malicious traffic.

Experts analyzed the team collaboration tool Slack, the gaming chat app Discord, the privacy-focused messenger Telegram, the group messaging platform HipChat, the open source Slack alternative Mattermost, Twitter, and Facebook.

The developers of such apps typically provide API components that allow integration with custom and third-party applications (e.g. syncing with the user’s calendar to get notifications on meetings directly in the chat interface).

In the case of Slack, researchers determined that the platform can be turned into a C&C server, but it’s not very practical for exfiltrating large amounts of data given that there is an upload limit of 5 GB.

Experts created a proof-of-concept (PoC) to demonstrate how Slack can be abused to send commands to a bot, including for listing directories, uploading files, executing system commands, and taking screenshots and uploading them to Slack.

Trend Micro has spotted some suspicious files interacting with Slack, but they did not include any malicious routines. Some malicious Android apps have been found to leverage Slack to relay information to attackers, but no threats have been observed abusing the platform to its full potential.

Discord is even less practical for exfiltrating data as the maximum size of file uploads is 8 MB. However, researchers did see malware hosted on the platform, including key generators, cracks, exploit kits and injectors. Discord has also been abused in cybercrime operations involving Bitcoin miners and malware that targets users of the online social gaming platform Roblox.

Telegram has also been abused by cybercriminals, despite the fact that, unlike Slack and Discord, it requires a valid phone number to register an account. A PoC created by Trend Micro for Telegram shows that the platform can be abused for executing commands on the infected system and stealing data. In the wild, Telegram has been leveraged by threats such as the TeleBot backdoor and the Telecrypt ransomware.

HipChat’s API also provides functionality needed for a C&C server, but researchers believe Mattermost is less appealing to attackers. Facebook can be abused, as experts from Zone13 recently demonstrated, but Trend Micro pointed out that the social media platform has good mechanisms in place for detecting suspicious activity on accounts.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.