Security

Telegram app used by malware to infiltrate online stores

An ongoing trend observed by cybersecurity analysts and malware researchers reveals Telegram messaging service is being abused by malware authors that target e-commerce websites.

The findings revealed by the web security company Astra highlights that malware actors plant scripts on compromised websites that transmit error logs and other sensitive data over encrypted Telegram channels.

“The error logs or sensitive information that are being sent to the hacker via Telegram is to check whether their malware is planted successfully on a website or not, and in another case, if the malware is planted successfully then they’re sending the sensitive information of the victims to a specific telegram number or channel,” said Kanishk Tagade of Astra in a blog post.

“Magento, Prestashop and WooCommerce stores remain the top target of this hacking campaign,” he continued.

The use of an encrypted service allows attackers to not only evade detection of malicious traffic, but also prevent from being blacklisted as they use Telegram’s infrastructure which would naturally be trusted by many security products.

Image: Malware infected PHP file flagged by Astra caught communicating with Telegram’s API

Astra’s engineers stated, “The hacker sends a request with $_POST[‘name’] =  evil.php  and $_POST[‘content’] = example.com/moreMaliciousCode.txt

“The backdoor script then creates a file called evil.php on the server with the file contents found in example.com/moreMaliciousCode.txt. The hacker then visits compromised-site.com/evil.php to execute the bad code.”

According to the engineers, the hacker group is called “B4JAT4X” based on the clues left in the malicious source code.

These findings follow a recent discovery by Malwarebytes where the company had found web skimmers stealing credit card information from infected websites and transmitting it over Telegram to the attackers.

With the rise in popularity of end-to-end encryption messaging platforms, attacks like these are only expected to grow and evolve with newer tactics.

“Security experts have long been recommending regular malware scanning as a key security measure for the safety of websites,” says Tagade.

“It is time you primed your websites with due security measures to keep it protected at all times,” he concluded.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.