Operators of a new Remote Access Trojan (RAT) are exploiting the Telegram service to maintain control of their malware.
Dubbed ToxicEye, the RAT abuses Telegram as part of command-and-control (C2) infrastructure in order to conduct rampant data theft.
On Thursday, Omer Hofman from Check Point Research said in a blog post that the new remote malware has been observed in the wild, with over over 130 attacks recorded in the past three months.
Telegram is a communications channel and instant messaging service that recently experienced an increased surge in popularity prompted by controversial changes to WhatsApp’s data sharing policies with Facebook.
The legitimate platform, which accounts for over 500 million monthly active users, has also proven popular with cybercriminals using the service as a springboard to spread and deploy malicious tools.
The attack chain begins with ToxicEye operators creating a Telegram account and a bot.
Bots are used for a variety of functions including reminders, searches, issue commands, and to launch polls, among other features. However, in this case, a bot is embedded into the malware’s configuration for malicious purposes.
“Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C2 via Telegram,” the researchers say.
Phishing emails are sent to intended victims that have malicious document attachments. If a victim enables downloads the subsequent malicious .exe file, ToxicEye then deploys.
The ToxicEye RAT has a number of functions that you would expect this particular brand of malware to possess. This includes the ability to scan for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as the option for operators to transfer and delete files, kill PC processes and hijack task management.
In addition, the malware can deploy keyloggers and is able to compromise microphones and camera peripherals to record audio and video. Ransomware traits, including the ability to encrypt and decrypt victim files, have also been detected by the researchers.
ToxicEye is the latest in a string of malware strains that use Telegram to maintain a C2, with off-the-shelf and open source malware that contains this functionality now commonplace.
If you suspect an infection, search for “C:UsersToxicEyerat.exe.” This goes for both individual and enterprise use, and if found, the file should be immediately removed from your system.
“Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” the researchers commented.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0