Research once again highlights shortcomings in ‘secure’ messenger

Telegram isn’t even reliable as a botnet control channel, according to new research that adds to previous infosec-related criticism of the chat app.

The secure messaging app, once hailed as a viable alternative to the big tech-owned end-to-end (E2E) encrypted services like WhatsApp, is now being used, at least experimentally, as a command station for malware delivery.

In a report released today, researchers at Forcepoint Security Labs said that malware written in .NET was communicating with an attacker’s machines through Telegram, giving them the ability to conduct nefarious operations across networks without detection.

At least that’s the idea.

According to Forcepoint, the attacker’s use of Telegram as a command-and-control (C2) server was easily spotted due to a bug in the encrypted service’s Bot API.

“Malware that uses Telegram as a C2 channel typically uses the Telegram Bot API for communications,” Forcepoint said in its report.

“Due to how the Bot API works, all past bot messages can be replayed by an adversary capable of intercepting and decrypting HTTPS traffic.”

Unlike the messages sent between users, which implement Telegram’s in-house MTProto encryption, developers that build bot programs are only protected by the HTTPS protocol.

“Telegram (justifiably) sees TLS as not secure enough on its own for an encrypted messaging application,” Forcepoint explained.

“Unfortunately, this does not apply in the case of programs which use the Telegram Bot API as messages sent this way are only protected by the HTTPS layer. To make matters worse, any adversary capable of gaining a few key pieces of information transmitted in every message can not only snoop on messages in transit, but can recover the full messaging history of the target bot.”

Capturing a token embedded in all communication under the Telegram API would be enough for an attacker to recover all messages sent and received by a bot.

“This often includes messages between regular human users, as bots frequently share a group chat with them,” Forcepoint said.

The systemic flaw meant an attacker’s entire operation was also visible.

“One particular piece of malware [written in .NET] proved to be an excellent case study of why this is dangerous, with the threat actor clearly not having the necessary separation between their testing/development and operational environments,” said Forcepoint.

“This meant that we could track their first steps towards creating and deploying the malware, all the way through to current campaigns in the form of communications to and from both victims and test machines.”

Researchers were even able to determine what they believe was the attacker’s IP address in “an extraordinarily poor display of operational security,” they said.

Forcepoint has informed Telegram of the vulnerability, and recommends users avoid bots created on its service.

Criticism of Telegram’s channel appears to be growing, including claims of its increased collaboration with the Iranian government amid an ongoing battle over relenting control of encryption keys to the Russian security services.

In 2017, Kaspersky spotted a bug in the service’s desktop app that was being exploited by attackers to install malware remotely.

That flaw has since been fixed.

The Daily Swig has reached out to Telegram for comment.


RELATED Russia demands Telegram encryption keys