While Telegram has surpassed 500 million monthly active users, cybercriminals are finding it a lot more appealing, and malware authors are increasingly using it as a ready-made command and control (C&C) system for their malicious activities, and distributing malware within organizations that would then be used to capture sensitive information from targeted systems.
According to Check Point Research (CPR), there has been over 130 attacks using a new multi-functional remote access trojan (RAT) known as ‘ToxicEye’ which spreads via phishing emails and managed by attackers over Telegram, using it to communicate with the C&C server and exfiltration of data.
How Cybercriminals use Telegram Messenger to control ToxicEye Malware?
ToxicEye spreads via phishing emails containing a malicious .exe file, which when the user opens, installs itself on the victim’s machine with the ability to perform a range of exploits without the victim’s knowledge, such as data stealing, deleting or transferring files, among other malicious activities.
First, the attacker creates a Telegram account and bot, which Telegram bot account serves as a special remote account with which users can interact by chat or by simply adding them to a Telegram group, or by sending direct requests from the input field by typing the bot’s Telegram username and followed by a query.
Then, the Telegram bot is embedded in the ToxicEye RAT configuration file, which is compiled into an executable file and if a victim is infected with the malicious payload, it can be controlled via the Telegram bot, as it connects the victim’s device to the attacker’s C&C via Telegram.
How to Identify Infected system and tips to keep your System protected
Obviously, every remote access Trojan (RAT) using this method has its own key capabilities that characterize most of the recent attacks, such as ransomware and data stealing features – as the RAT can locate and steal passwords, computer information, browser history and cookies.
Therefore, if you want to ensure that your system is not infected, search for a file called C:\Users\ToxicEye\rat.exe which if this file exists on your PC, means you've been infected and need to immediately contact your organization's help desk and make sure to erase this file from your system.
Additionally, you should monitor the traffic generated from PCs in your organization to a Telegram C&C, if such traffic exists, and Telegram isn't installed as an enterprise solution, it is a possible indicator of compromise.