Go to listing page

An Overview of Malicious Activities in Q1; Telegram Bots in Spotlight

An Overview of Malicious Activities in Q1; Telegram Bots in Spotlight
Cybercriminals are increasingly turning to Telegram bots to launch various elusive and malicious campaigns. The Cofense Intelligence team has sighted this concern along with other observed malicious activities in Active Threat Reports (ATRs) for Q1 2023.

Key observations 

  • The volume of malicious email campaigns abusing Telegram bots observed in the first three months of 2023 exceeded the entire volume of attacks in 2022 by 310%. 
  • The volume of credential phishing attacks also increased significantly by 527%, which is an increase of 40% when compared to the same period last year.
  • During Q1 2023, threat actors were also observed experimenting with a variety of delivery mechanisms, including OneNote attachments, to disseminate malware to target systems. However, in many cases, the zip file remained a popular attack vector to deliver malware and phishing resources.
  • Additionally, YouTube was listed in the top 10 domains being used by threat actors to launch redirect phishing attacks.

What makes Telegram bots a suitable attack vector?

  • The utilization of Telegram bots to exfiltrate sensitive information from targets has overall increased by 800%, between 2021 and 2022.
  • These bots have become a popular choice for threat actors since they are easy to set up in private group chats and are compatible with a wide range of programming languages.
  • They can, furthermore, be integrated into malicious mediums such as malware or credential phishing kits.  

Prevalent malware

  • AgentTesla keylogger was used in a significant number(38%) of phishing attacks throughout January, followed by FormBook and Remcos.
  • Besides, QakBot was found in 185% more than Emotet in email phishing campaigns between January and March.

Conclusion

It is imperative to educate employees on protecting themselves from falling prey to potential malicious threats. For the legitimate use of Telegram bots, an organization may consider authorizing bot tokens associated with legitimate users while blocking other harmful traffics. Additionally, it is crucial to have multiple email defense methods in place to prevent credential phishing attacks.
Cyware Publisher

Publisher

Cyware