The operators of a remote access trojan (RAT) dubbed ToxicEye are managing their cyber crime campaign by exploiting features of the secure Telegram instant messaging service, cyber researchers at Check Point Research have discovered.
Check Point says it has now tracked more than 130 attacks involving the ToxicEye RAT in the past three months, and are warning that even end-users who do not have Telegram installed on their devices may be at risk.
In the analysed attack, the attackers first created a Telegram account and a dedicated Telegram bot which they then bundled with the ToxicEye malware and spread it via spam campaigns as an email attachment.
If opened by a victim, the malicious attachment connects to Telegram, enabling the attackers to gain a foothold on their device via the bot. In effect, Telegram has become their command and control (C2) infrastructure.
“We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command and control system for malware distribution into organisations,” said Check Point’s R&D group manager, Idan Sharabi.
“This system allows the malware used to receive future commands and operations remotely, even if Telegram is not installed or used on the target PC. The malware that hackers used here is easily found on easily accessible places like Github. We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organisations, which enables the hackers’ actions to bypass security restrictions.
“We strongly urge organisations and Telegram users to be aware of malicious emails and to be more suspicious of emails that embed their username in the subject, or emails that include broken language.
“Given that Telegram can be used to distribute malicious files, or as a command and control channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”
Among other things, the ToxicEye malware is capable of file system control, data exfiltration, and can be used to encrypt its victims’ files during the installation of ransomware.
Sharabi said the discovery of this campaign was evidence of a “growing trend” in Telegram-based malware, which likely aligns to the increased popularity of the messaging service. There are already a number of Telegram-based malwares being offered off-the-shelf in hacking tool repositories on GitHub.
There are several reasons why cyber criminals may be targeting Telegram. First, it is a legitimate, easy-to-use and stable service that is rarely if ever blocked by antivirus or network management tools, so it goes unnoticed by security teams. Second, as an anonymous, secure messaging service, the attackers are themselves able to remain anonymous. Third, Telegram’s communications features make it quite easy to exfiltrate data from victim devices or transfer new malicious files to them. Finally, it also enables them to attack their victims from a standard mobile device anywhere in the world.
Users can protect themselves against ToxicEye by checking their systems for a file called C:\Users\ToxicEye\rat.exe. If found your device is infected and you should contact your security team and erase it. To avoid infection to begin with, one should take the same precautions that are always advised to protect against phishing attacks, such as being wary of unsolicited email attachments, particularly those containing usernames; looking for undisclosed or unlisted recipients; and noting language use and other potential social engineering techniques.
Security teams can assist by monitoring traffic generated from PCs within the organisation to a Telegram C2 – if found, and the organisation is not using Telegram as an enterprise solution, this may be an indicator of compromise (IoC), and by keeping comprehensive anti-phishing and email protection solutions switched on and up to date.