Threat Management, Malware, Vulnerability Management

Researchers find Telegram bot chatter is actually Windows malware commands

Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands.

Forcepoint researchers discovered what it described as a “fairly simple” year old malware that creates a new administrator account that enables remote desktop once it infects a victim’s device.

The attacker then uses Telegram to communicate with the malware and send HTTPS protected instructions.

The malware also revealed a vulnerability in Telegrams BOT API. Because the messages were sent by Telegram Bot API, and not between regular users, anyone knowing a few key pieces of information can snoop on the bot chatter and even recover full messaging histories of the target bot. Regular user’s messages are also protected with in-house MTProto encryption.

This isn’t the first time threat actors have used commercial products to communicate. Researchers noted threat actors tweeting malware commands in a separate malware incident. 

Forcepoint contacted Telegram regarding the vulnerability in the API but has yet to hear back. Telegram hasn't as yet responded to an SC Media query.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.