Hackers Exploit Bots on Discord, Telegram to Steal Users’ Data

Photo Depicting Messaging App User

Cybercriminals have devised ways to exploit bots on Telegram and Discord to spread malware and steal sensitive user data, cybercrime intelligence firm Intel 471 said in a blog post on Tuesday.

The malware that hackers deploy on these messaging apps can extract everything from financial information to SMS messages.

Information Stealers on Discord, Telegram

Using info stealers, hackers have figured out ways to manipulate these messaging “platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials and other information from unsuspecting users,” the Intel 471 team wrote.

The researchers discovered several freely available info stealers that are custom-built to work with Discord and Telegram.

One of them—aptly named Blitzed Grabber—relies on Discord’s webhooks to store stolen data. Webhooks allow automated messages and updates to be sent to Discord messaging channels.

Other information stealers, namely Mercurial Grabber and 44Caliber, can steal users’ credentials for popular gaming platforms, Roblox and Minecraft.

These malware programs can excise a plethora of information like browser cookies, bookmarks, autofill data, virtual private network (VPN) credentials, bank card information, cryptocurrency wallet information, passwords, operating system information, and even Microsoft Windows product keys.

Intel 471 researchers also discovered a nefarious Telegram bot, known as X-Files, which is operated via bot commands on the messaging platform. The bot can compromise browsers including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi.

Once the malware is loaded onto a victim’s system, cybercriminals can “swipe passwords, session cookies, login credentials, and credit card details,” and send this to themselves or other cybercriminal groups on Telegram. The researchers discovered another Telegram information stealer, Prynt Stealer, which is similar to X-Files but doesn’t work with bot commands.

Cybercriminals Abuse Discord Cloud Infrastructure

The Intel 471 team found that hackers are exploiting the cloud infrastructure used by messaging platforms like Discord to further their criminal schemes.

“Many threat actors currently use Discord’s content delivery network (CDN) to host malware payloads,” the researchers explained.

Although the researchers first observed this trend in 2019, they noted that many threat actors still use it. According to the Intel 471 team, it appears the hackers don’t “face any restrictions when uploading their malicious payloads to the Discord CDN for file hosting.”

Numerous malware families were discovered on Discord’s CDN, including Raccoon stealer, Agent Tesla stealer, Modi loader, and Warzone RAT.

“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” the researchers explained.

OTP Bots Plague Telegram

The researchers said there has been a steady increase in Telegram-linked information stealers, such as Astro OTP, on the dark web.

Astro OTP can intercept OTP (one-time password) tokens as well as SMS verification codes. According to the researchers, cybercriminals can control this bot via the Telegram interface with basic commands.

“Access to the bot is extremely cheap, a one-day subscription can be bought for US $25, with a lifetime subscription available for US $300,” they wrote.

Automation ‘Lowers the Bar-of-Entry’ for Cybercriminals

While automation bots allow users to play games, share media, moderate channels, and do so much more, they can also be exploited by cybercriminals.

The ease of use of info stealer trojans makes them a lucrative entry point for low-level hackers, and the growing popularity of remote work presents a larger attack surface for these cybercriminals to exploit. The researchers explained that this creates “an opportunity for low-level cybercriminals to hone their skills, build their relationships and possibly pivot to further crimes in the future.”

“While information stealers alone do not cause the same amount of damage as malware like a data wiper or ransomware, they can be the first step in launching a targeted attack against an enterprise,” the Intel 471 team noted.

Hackers often target apps and websites where millions of users congregate and share data, and the growing popularity of bots on such platforms presents an avenue for cybercriminals to orchestrate their attacks.

A 2021 study revealed that bots were responsible for nearly two-thirds of all internet traffic that year, but nearly 40% of that traffic came from malicious bots. We’ve reported on a few cyberattacks involving bots, including one in May, where hackers used a Discord bot to infiltrate NFT channels in a phishing attack.

If you use social platforms such as Telegram or Discord, our article on the five best cybersecurity tools contains useful information on how can protect your data. Also, check out our article on how phishing scams work to understand how cybercriminals trick people into downloading malware, like information stealers, onto their devices.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.