Yesterday, a group of IT security researchers had revealed that Russian hackers are controlling malware operation through the official Instagram account of the world renowned singer Britney Spears.
Now, according to research conducted by Trend Micro, it was revealed that hackers could use third-party chat applications such as Slack, Discord, and Telegram as command-&-control (C&C) centers to host malware on a victim’s system.
The pervasive use of chatting apps
Third-party chat apps such as slack, have been growing in use by large and small corporations alike due to the convenience with which the platforms allow communication and collaboration. However, researchers at Trend Micro discovered that (PDF) APIs of these platforms could be exploited to serve as C&C centers for different types of malware.
APIs as the key beneficiary
Application programming interface or API for short is a set of tools and protocols that allow apps to be integrated with other primary systems so as to be used in a complete and seamless manner.
That is, with the use of APIs, primary systems can be enhanced regarding functionality. It is perhaps because of this that businesses are so obsessed with apps like Slack which allow them to easily integrate the advanced functionality of the chat platform with their primary system.
This eases the staff from using different apps for different functions and thus makes the process of communication much smoother.
However, it seems that it is the same APIs that can be manipulated by attackers to turn the innocuous apps into malicious C&C centers for malware that can be used by the attacker to communicate with the malware and launch attacks accordingly.
These exploits can appear legit
The main threat to businesses and users operating such third-party apps is that the attacks are immune to security. That is, attackers can turn the entire app into a C&C system without being detected by any anti-malware or security.
This is because, in essence, the attacker is simply using a chat app to communicate; albeit, with malware. Hence, the mere act of communicating does not get captured by the relevant security protocols, implying that the attacker can launch any attack conveniently.
Why is it more dangerous than normal malware?
Reports say that normal ransomware is executed using an automated algorithm. That is, a ransomware controls itself using a pre-defined code and therefore harms a computer as directed by the code. This means there is no human intervention.
In the case of chat apps being used as C&C systems, attackers can manipulate the malware as they wish once the infection has been injected into a victim’s system. They only need to sign up to these apps like a normal user and start commanding the malware to perform all sorts of vicious attacks.
Hence, rather than being automated, the malware can be controlled to do anything the attacker wants it to. This makes it far more dangerous than normal ransomware attacks.
“The malware we found currently taking advantage of Telegram and Discord are proof of this. And it is not a remote possibility that we will see more and more examples of chat platform API abuse in the near future. For example, instead of writing a custom interface from scratch to communicate with a ransomware victim, a cybercriminal may just opt to use a third-party chat client wrapped in a custom chat window that opens a web socket to the appropriate channel. He can then immediately walk the victim through the payment process and start with the decryption once the ransom is paid,” said Trend Micro.
How to stay secure?
Perhaps the only way to remain secure is to keep monitoring any changes in data that is being transmitted through the apps while businesses need to secure their networks by installing anti-virus and other anti-malware tools.