ToxicEye RAT exploits Telegram

telegram May 9, 2021

Keep up to date with all known and actively exploited zero-day Telegram vulnerabilities here.

A new remote access Trojan (RAT) is exploiting cloud-based instant messaging platform Telegram to steal data from victims and update itself to perform additional malicious activities.

According to Check Point Research (CPR), Telegram has enjoyed a surge in popularity this year because of controversial changes to its rival, WhatsApp’s privacy settings. It was the most downloaded app worldwide for January 2021 and has surpassed 500 million monthly active users.

This popularity has not gone unnoticed by threat actors, who are increasingly exploiting Telegram as a ready-made command and control (C&C) system for their malware, because it offers several advantages compared to conventional Web-based malware administration.

The first time Telegram was used as C&C infrastructure for malware was the ‘Masad’ info-stealer back in 2017.The attackers behind Masad understood that using a popular IM service as an integral part of their attacks gave them a number of operational benefits.

A compelling target

Firstly, Telegram is a legitimate, easy-to-use and stable service that isn't blocked by enterprise anti-virus engines, nor by network management tools. Moreover, threat actors can remain anonymous as the registration process requires only a mobile number. Next, the unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines. Finally, Telegram also allows malefactors to use their mobile devices to access infected computers from almost any location globally.

Since 2017, dozens of new types of malware that use Telegram for C&C and exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool repositories in GitHub.

Over the past three months, CPR has witnessed more than 130 attacks using ToxicEye, a new multi-functional RAT which is spread via phishing emails containing a malicious .exe file.

If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim's knowledge, including stealing data, deleting or transferring files, killing processes on the PC, hijacking the PC’s microphone and camera to record audio and video, and encrypting files for ransom purposes.

The RAT is managed by cyber criminals over Telegram, communicating with the attacker's C&C server and exfiltrating data to it.

The infection chain

The bad actor initially creates a Telegram account and a Telegram ‘bot’, or special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot's Telegram username and a query.

The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file. Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.

Moreover, ToxicEye can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”Once the executable file has been installed, the attacker can hijack the computer through the bot.

Stay protected

CPR advises to monitor the traffic generated from PCs in the organisation to a Telegram C&C. If such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise.

Next, beware of attachments containing usernames. Malicious emails often use the victim’s username in their subject line or in the file name of the attachment on it. These indicate suspicious emails, which should be deleted, never replied to, and attachments within them should never be opened.

In addition, if the email recipients have no names, or the names are unlisted or undisclosed, this is another sign the email is malicious or a phishing email.

Finally, CPR says to install an automated anti-phishing solution with AI-based anti-phishing capabilities that can identify and block phishing content across all of the company’s communication services.

“Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” the company ends.

The pieces that combine to create this new exploit can be found here and here.

The ToxicEye infection chain
Code snippet example from open source telegram RAT repositories (linked above)
A functionality snippet example from chosen Telegram Rat project
After installing the executable file, the attacker can hijack the computer through the bot

By ITWeb


Latest news & random rants