By Caique Barqueta: We can say that Telegram is a messaging app that is being used by many people all over the world for various purposes, whether for legal or illegal activities.
For illicit purposes, Telegram is used for cybercrime, whether for selling data, leaking personal data, hacktivism, selling illegal products such as fake documents and narcotics, and so on.
One of the reasons the app is the preferred choice for cybercriminals is because of its built-in encryption and the ability to create channels and large private groups.
About the application
The Telegram application is a type of "multi-platform" messaging service launched in 2013 by Russian brothers Nikolai and Pavel. The platform allows users to send messages, videos, photos and files of any type, such as .doc, .zip, .mp4 and others up to 2 GB in size, and allows the creation of groups and channels.
According to Telegram, it would be the only company focused on privacy, encryption and an open-source API, providing "end-to-end" encrypted chats as an option and all messages sent can be deleted at any time, either by the sender or the recipient.
The API can be used for integration with other platforms, customized bots, themes, stickers and other purposes.
One of the points we can mention is that Telegram has already cooperated with law enforcement in certain cases, leading us to question whether messages are really as private as everyone imagines them to be.
Telegram users practically have two identifiers: "usernames" and "user Ids". The usernames are not public and can be edited in the settings. Once the names have been defined, the user can share their profile with other people via a link, which looks like this: "t.me/username". Ids are assigned to users, groups and channels by Telegram, and users cannot change them.
The channels that Telegram users can create
Users can use the channels to build communities, thus being able to share unlimited resources in these communities. These channels are one-way communication platforms, meaning that only administrators can send messages and subscribers and channel participants cannot reply.
In 2020, Telegram updated the platform and allowed channel subscribers to comment on channel posts.
The next feature we send is chat groups, where members can interact with each other and reply to messages. In the case of groups, other users can view other contacts, so there are closed groups and open groups.
One of the things that sets Telegram apart from other apps is the possibility of adding up to 200,000 people to a single group.
Telegram makes it possible to use and create bots, which are essentially automated Telegram accounts. They are good tools to use for a variety of purposes, including creating, managing group chats, acting as assistants and more. In addition, bots are automated to collect data from outside the application.
Toncoin, the Telegram currency
The app has its own cryptocurrency, now known as Toncoin, which is a native token of The Open Network, a blockchain-based technology developed by Telegram.
We can consider that Telegram is a platform widely used by cybercrime, since they can share information, data, coordinate activities, as well as use Telegram as a way of contacting other malicious actors. In addition, Telegram makes it easier to sell stolen data and illicit goods, or even to recruit new members for their activities.
Telegram is used by cybercriminals for reasons that guarantee privacy and security. The platform also allows users to register accounts without divulging personal information, simplifying the configuration of various identities that can be used without revealing the user's identity.
Another option for cybercriminals is that Telegram users can sign up with virtual numbers or foreign phone numbers that may not be related to their real identities, thus making it difficult to identify the real identity of the threat actor.
For organizations working to combat fraud and malicious acts by these actors, it is possible to search Telegram channels and groups just by typing a certain relevant word in the search bar, as well as accessing the data of certain channels or groups and creating bots to search and collect data.
Selling stolen data
Accounts from popular streaming services and other services are advertised through channels on Telegram, and the publications made can be made available for potential buyers to choose from and negotiate directly with the advertiser in the form of account sales.
It's worth noting that some cybercrime forums hosted on the deep and dark web have exclusive Telegram channels, such as the Telegram channel for Raid Forums.
Another common occurrence in Telegram chats is the resale of data stolen and exfiltrated from companies. After a particular threat actor makes the data public, other actors can download it and sell it later, claiming it to be new leaked data.
There are channels on Telegram that end up providing a wide source of resources to identify where the sale of certain organizations' data is taking place, such as the pictures below.
Stealer-type malware is malware that focuses on stealing information and data from a device that has been infected and, after exfiltrating the data, this data is sold as stealerlogs, whose logs contain the entire mass of data that has been collected from the victims.
Infection with this malware is on the increase, as new malware-as-a-service programs are launched and disseminated all the time, such as Redline, Mysitc, Meduza, Vidar and other types of malware.
The logs sold contain information such as user login credentials, browsing histories, cookies, authentication tokens and information about the user's device. If a threat actor purchases these logs, it could result in other types of attacks or security incidents, such as data exfiltration, lateral movements, access sales and others.
Some malware services integrate with these types of malware to exfiltrate data, for example, after infecting a victim, the threat actor can choose to exfiltrate to a channel or bot created by the malicious actor.
Telegram has become one of the main tools for threat actors to sell these types of stealer logs, so it's important to prevent the infection of stealer malware by adopting best practices to prevent the sale of data on Telegram-type channels.
Ransomware actors and others
Threat actors that we can classify as Ransomware groups have also migrated to using the Telegram platform as a means of publishing and extorting affected organizations.
Other threat actors such as Lapsu$ and Stormous have published data from attacked organizations, created chats for discussions between members and even created dedicated channels for leaking a victim's data.
Telegram has become one of the biggest tools used by threat actors for communication, sales, dissemination and any other type of motivation that threat actors find interesting and relevant to their operations. It can be considered as another platform to be monitored, since it is likely that Telegram will be adopted and used by threat actors to carry out these illegal acts.
It is clear that it is effective for security researchers to identify these threat actors, since monitoring can help prevent and mitigate cyber attacks on organizations, and relevant information can be collected about these actors, such as tactics, techniques and procedures, tools used by the actors and their behaviour.