The Telegram service is being exploited by operators of a new Remote Access Trojan (RAT) to keep control of their malware. ToxicEye is a ransomware that uses Telegram as part of its command-and-control (C2) infrastructure to steal data.
In a blog post published on Thursday, Check Point Research’s Omer Hofman stated that the latest remote malware has been seen in the wild, with over 130 attacks reported in the last three months.
Telegram is a communication platform and instant messaging service that has recently seen a boost in popularity as a result of the recent controversy surrounding WhatsApp’s data-sharing policies with Facebook. The platform, which has over 500 million monthly active users, has also proven popular among cybercriminals who use it to distribute and execute malicious software.
ToxicEye operators start the attack chain by creating a Telegram account and a bot. Bots are used for several tasks, such as reminders, searches, issuing orders, and launching surveys. In this case, however, the malware’s configuration includes a bot for malicious purposes.
According to researchers, “Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C2 via Telegram.”
Phishing emails with malicious document attachments are sent to intended victims. ToxicEye is launched if a victim allows the resulting malicious.exe file to be downloaded. The ToxicEye RAT has a variety of features, which include the ability to search for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as pass and deletes files, disable PC processes, and hijack task management.
Furthermore, the malware can install keyloggers and gain access to microphones and camera peripherals to capture audio and video. The researchers discovered ransomware characteristics such as the ability to encrypt and decrypt victim data.
The user should check for “C:UsersToxicEyerat.exe” if suspects an infection. This applies to both personal and business use, and if a file is discovered, it should be deleted immediately.
Researchers stated, “Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”