Cybercriminals Using Telegram Messenger to Control ToxicEye Malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Adversaries are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.

"Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app," said researchers from cybersecurity firm Check Point, who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called "ToxicEye."
The latest campaign spotted by Check Point is no different. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer's microphone and camera to record audio and video, and even encrypt files for a ransom.

Specifically, the attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "paypal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe").

"We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations," Check Point R&D Group Manager Idan Sharabi said. "We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions."
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top