Telegram, the encrypted messaging service, is being used as a command and control infrastructure for malware, an investigation by researchers at Forcepoint Security Labs has found.
First, it’s important to note that not all of Telegram’s 180 million plus users are affected. The issue discovered centers around the Bot API used by a sub-set of Telegram users.
The Bot is used for automated communications or updates between teams such as groups of developers as well as automated conversations sharing news or updates.
The vulnerability requires a man in the middle (MiTM) attack – with the hacker effectively intercepting communications – to extract information, the researchers say. Forcepoint has informed Telegram of the vulnerability.
“Malware that uses Telegram as a command and control channel typically uses the Telegram Bot API for communications,” say the researchers. “In the course of an investigation into one piece of malware, we discovered a significant flaw in the way Telegram handles messages sent through its Bot API.”
The malware in question, dubbed ‘GoodSender’, operates in a simple way: once it is dropped it creates a new administrator user and enables remote desktop, at the same time ensuring it's not blocked by the firewall. The username for the new admin user is static, but the password is randomly generated.
All of this information - including the username, password, and IP address of the victim - is sent to the operator through the Telegram network, providing the operator with access to the victim’s computer through RDP, the researchers say.
And unlike its chat conversations, Telegram’s bots aren’t secured using its encryption protocol, MTProto. Instead, the bot platform relies on Transport Layer Security (TLS) protocol used in HTTPS web encryption – which isn’t robust enough on its own.