During a recent investigation, the team of researchers from the security firm Forcepoint Labs discovered a malware, dubbed GoodSender, that used an encrypted messenger Telegram as a platform to get the commands from the hacker.
GoodSender was described by Forcepoint Labs’ team as a “fairly simple” Windows-based almost a year old malware, which uses Telegram to listen and wait for commands. Once the infection happens, the malware creates a new administrator account and enables a remote desktop while sending the data (administrator username and a randomly generated password) to hacker through Telegram.
The attacker uses the messenger to give an additional commands to malware and send https protected instructions.
This isn’t the first time threat actors used commercial products to communicate – researchers found out hidden commands in pictures posted on twitter and in celebrities Instagram comment section, however using an encrypted messenger makes it a lot harder to detect.
GoodSender revealed a vulnerability in Telegram’s bot API – a person who has an additional information can snoop on the bot chatter and get the full chat history of the target bot. Regular users messages are encrypted by MTProto, which is criticized by cryptographers for metadata leaking.
Forcepoint contacted Telegram regarding the API problem, but have yet to receive an answer. Telegram hasn’t responded to SC Media Quarry as well.