Working for a big company often involves communicating with lots of people that are not necessarily near you. You can call them on the phone, but that's not always the most practical solution. Communication via email is an option, but it can cause unwanted delays. Chat applications are often your best bet which is why companies providing instant messaging services have been thriving over the last few years. According to a report from Trend Micro, for example, about 77% of Fortune 100 enterprises work with Slack. Sadly, the same report shows that large business organizations might not be the only ones taking advantage of free chat services.
The idea of using such applications for malicious purposes is not new. In fact, a couple of years ago, the IRC (or Internet Relay Chat) application layer protocol was used extensively for controlling malware. With time, however, IRC's popularity dwindled, and, having realized the security risks, system administrators started banning it in corporate networks. At the moment, businesses rely on more modern instant messaging alternatives. Unfortunately, during a research project that lasted for a year and a half, Trend Micro's experts saw that the threat actors are trying to keep up. The researchers examined the mechanisms that could allow hackers to use the chat applications' APIs as a part of their Command and Control (C&C) infrastructure. Their research covered the popular Slack, Discord, and Telegram messaging platforms, HipChat and Mattermost (a couple of self-hosted services), as well as the APIs of Twitter and Facebook.
Slack is by far the most widely used of the stand-alone instant messaging platforms. It's favored by companies because it offers a collection of tools that are designed to make employees' work easier. In addition to this, it has an API that can be incorporated into custom software meaning that users can perform a myriad of tasks without having to switch between different applications all the time. Thankfully, there are no known incidents of threat actors communicating with infected systems via Slack's API. Despite this, Trend Micro's researchers found out that such a scenario is possible.
How Did Hackers Take Advantage of Chat Apps?
What they did was set up a Slack team and then requested an API testing token. The testing token's function is pretty self-explanatory. It allows developers and customers to make sure that everything works when developing and incorporating an application that will use Slack's API. Trend Micro's experts found out, however, that the token can be abused.
First, they set up a channel using a simple API request, and they then created a websocket. Using the testing token for authentication, they established a connection with the websocket which allowed them to send commands that were executed by the host computer. In an attack scenario, a separate channel would be created for every single target, and the malicious tasks threat actors can perform range from fetching the list of directories to running shell commands. They can also steal files, capture screenshots, and record keystrokes, and the really clever bit is, everything they take from the victim computer is uploaded to Slack's servers which mean that network monitoring tools are unlikely to pick up anything suspicious.
The same thing is observed with Discord, a chat platform primarily aimed at gamers. When the API is used, it sends a DNS request to gateway.discord.gg, and the rest of the communication is also handled by the messaging platform's servers, which means that detecting threat actors that exfiltrate data through Discord's API is next to impossible. Stealing information can happen through the create message function. When they were looking into the application, Trend Micro's researchers found no evidence of anyone using Discord's API as a C&C infrastructure. Someone was using Discord webhooks, though.
Unlike APIs, webhooks aren't designed to facilitate two-way communication. What they do instead is send information provided certain conditions are met. In this particular case, the webhook was triggered by a popular online game called Roblox. The researchers found a couple of strains of malware that would wait for the game to launch. When it did, the malicious software requested an account cookie from the Roblox's server which it later sent through Discord's webhook. The cookie gave the threat actors access to the victims' accounts and allowed them to steal game currency.
Hackers Find Monetary Gain via Chat Apps
Speaking of currency, the experts also found a Bitcoin miner that was spread with the help of Discord. Mining this particular type of cryptocurrency in this day and age is not exactly the easiest thing in the world, but as Trend Micro noted, the hackers were clever when they picked Discord as their distribution method of choice. As we mentioned already, the platform is mainly used by gamers, and gamers are likely to have powerful graphic processing units (GPUs), the most important piece of hardware when it comes to cryptocurrency mining. For good measure, the Bitcoin miner Trend Micro found was designed to overclock the GPU before starting the process.
In addition to the miner, researchers spotted a number of other malware samples including cracking tools, key generators, and even exploit kits hosted through Discord. Trend Micro informed the vendor, and the malicious files were quickly removed.
Next on the list for the researchers was Telegram. For the regular users, signing up for Telegram seems more secure when compared to Slack or Discord. Registering won't happen without a valid phone number, for example, and network administrators are also put in a better position because the chat service communicates with different subdomains on the different platforms. The changes haven’t stopped threat actors from abusing Telegram.
In fact, unlike Slack and Discord, Telegram has been actively used as a C&C communication tool. That's where Telebots, the hacking group that attacked selected Ukrainian targets with the KillDisk malware, got their name from. Telegram's API was also used to talk to Telecrypt, a ransomware family that was also named after the instant messaging service. Both incidents are well documented, and the bad actors will likely continue to abuse the platform.
Social Networks Take Priority
An easier option for them would be to use social networks like Twitter and Facebook as a means of sending commands to infected hosts. There are some limitations, though.
While hackers have used Twitter as a part of their C&C infrastructure, the 140-character limit means that the black hats can't do much, especially when it comes to stealing information. In that respect, Facebook, which sets its limit at over 63 thousand characters, is the better option. Trend Micro noted, however, that Mark Zuckerberg's employees have placed some strong backend protection against malicious scripts.
Finally, the researchers took a peek at HipChat and Mattermost, the two self-hosted platforms on the list. Their APIs can be used for reaching out to infected computers, but since the communication goes through a server that needs to be specially configured, the procedure of setting up a channel won't differ much from putting together a traditional C&C. In the case of Mattermost, real-time communication could also be difficult, but perhaps the biggest limitation is the services' lack of popularity.
Which brings us back to Slack, Telegram, and Discord, the platforms that are most likely to be abused. Trend Micro's research paper paints a rather grim picture indeed, but it should be noted that there is a silver lining. Using these services for stealing information (the biggest threat to corporate networks) would be extremely difficult because of the file size limits they impose on the transmitted and hosted data. In some cases, an attack is not possible without a stolen authentication token or leaked login credentials.
All in all, it's not all doom and gloom, and the countless businesses that rely on these services shouldn't just ditch them and look for new ways of organizing their workdays. More vigilance from both system administrators and regular employees wouldn't hurt, though.