Operators of the Trojan Remote Access Program (RAT) called ToxicEye are managing their cybercrime campaign using the features of the secure instant messaging service Telegram, cyber researchers from Check Point Research have discovered.
Check Point says it has now tracked more than 130 attacks involving ToxicEye RAT in the past three months, and warns that even end users who do not have Telegram installed on their devices could be at risk.
In the analyzed attack, the attackers first created a Telegram account and a dedicated Telegram bot, which they then packaged with ToxicEye malware and spread through an unsolicited campaign as an email attachment.
If the victim opens it, the malicious attachment connects to the Telegram, allowing the attackers to fix the bot on their device. In fact, Telegram has become their management and administration infrastructure (C2).
“We have discovered a growing trend in which malware authors use the Telegram platform as a ready-made system of commands and controls for distributing malware to organizations,” said Check Point Group R&D manager Idan Sharabi.
“This system allows malware to be used to further receive future commands and operations, even if Telegram is not installed or used on the target computer. The malware used by hackers here can easily be found in easily accessible places like Github. We believe that attackers take advantage of the fact that the Telegram is used and allowed in almost all organizations, which allows hackers to circumvent security restrictions by the actions of hackers.
“We strongly urge organizations and users of Telegram to be aware of malicious e-mail addresses and to be more suspicious of e-mail addresses that incorporate their username into the topic or e-mails that include incorrect language.
“Given that Telegram can be used to distribute malicious files or as a command and control channel for remote-controlled malware, we fully expect that additional tools using this platform will continue to evolve in the future.”
Among other things, the ToxicEye malware is capable of controlling file systems, data exfiltration, and can be used to encrypt its victims ’files during ransomware installation.
Sharabi said the discovery of this campaign is evidence of a “growing trend” in Telegram-based malware, which probably coincides with the increased popularity of the messaging service. There are already several Telegram-based malware offered in hack tool warehouses on GitHub.
There are several reasons why cyber criminals may be targeting the Telegram. First, it is a legitimate, easy-to-use, and stable service that is rarely, if ever, blocked by antivirus or network management tools so that security teams do not notice. Second, as an anonymous, secure messaging service, attackers themselves can remain anonymous. Third, Telegram’s communication features make it fairly easy to eject data from damaged devices or transfer new malicious files to them. Finally, it also allows them to attack their victims from a standard mobile device anywhere in the world.
Users can protect themselves from ToxicEye by checking the system for a file named C: Users ToxicEye rat.exe. If you find that your device is infected, contact your security team and delete it. To avoid infection, the same precautions that are always recommended to protect against phishing attacks should be taken, such as caution with unsolicited email attachments, especially those containing usernames; searching for undiscovered or unlisted recipients; and noting the use of language and other potential social engineering techniques.
Security teams can help by monitoring computer-generated traffic within the organization on Telegram C2 – if found and the organization does not use Telegram as a business solution, it can be a compromise indicator (IoC) and keeping comprehensive anti- Theft and updated anti-theft solutions identity and email protection.