Following the WhatsApp privacy policy update, Telegram has gained significant popularity among users. Perhaps, that’s how it also drew attention to more cybercriminals too. Recently, researchers have discovered a new malware in the wild, dubbed ‘ToxicEye’ that exploits Telegram for RAT control.
ToxicEye Malware Targeting Telegram
Security researchers from Check Point Research have identified a new malware, the ToxicEye RAT, actively exploiting Telegram.
Elaborating the details in a blog post, the researchers revealed that the new malware actually abuses Telegram as its C&C. While unique, it isn’t an entirely new approach. The first attempt of this nature emerged back in 2017 by Masad infostealer.
CPR explained that this approach benefits the threat actors since Telegram is an otherwise legit app that doesn’t trigger security alerts, is easy to register, and provides swift access to computers and mobile devices. Thus, the threat actors can easily target a large number of users while evading detections.
Thus, leveraging these benefits, ToxicEye started off its campaign in the wild. CPR could already detect over 130 attacks spreading this RAT via spear phishing emails bearing a malicious executable.
If a victim clicks on the email attachment, the malware sneakily downloads and installs onto the target device. It can then execute various malicious activities such as stealing data, transferring or deleting files, recording audios and videos, killing system processes, up to the extent of executing ransomware attacks.
Describing the infection chain, the researchers stated that the attack begins via a Telegram bot.
The attacker first creates a Telegram account and a Telegram ‘bot.’…
The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’).
Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.
Besides the bot, the attackers may also execute this attack via phishing emails containing a malicious document, namely “solution.doc”. Opening this file and allowing “enable content” would execute the malware.
Watch Out For Phishing
To stay safe from such attacks, the users should stay wary of unsolicited emails, particularly, those with attachments.
Also, users should keep their devices protected with robust security solutions to fend off such malware attacks.
