Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands.
Forcepoint researchers discovered what it described as a “fairly simple” year old malware that creates a new administrator account that enables remote desktop once it infects a victim’s device.
The attacker then uses Telegram to communicate with the malware and send HTTPS protected instructions.
The malware also revealed a vulnerability in Telegrams BOT API. Because the messages were sent by Telegram Bot API, and not between regular users, anyone knowing a few key pieces of information can snoop on the bot chatter and even recover full messaging histories of the target bot. Regular user’s messages are also protected with in-house MTProto encryption.
This isn’t the first time threat actors have used commercial products to communicate. Researchers noted threat actors tweeting malware commands in a separate malware incident.
Forcepoint contacted Telegram regarding the vulnerability in the API but has yet to hear back. Telegram hasn't as yet responded to an SC Media query.