Recently, security researchers discovered that hackers are exploiting the Telegram messaging app for their malware campaigns. Read on to know more…
Hackers are using the popular Telegram messaging app by embedding its code inside a Remote Access Trojan (RAT) known as ToxicEye, according to Check Point Software Technologies. With over 63 million downloads and over 500 million monthly active users, Telegram is the most downloaded app in the world in January 2021. In reality, this popularity also extends to the world of cybercriminals.
Telegram is an excellent way to hide malicious activity, according to researchers, since it is unaffected by anti-virus software and enables hackers to remain anonymous by needing only a cell phone number to sign up. Because of its communications infrastructure, the Telegram app also helps attackers to quickly exfiltrate data from victims’ PCs or upload new malicious files to compromised machines from anywhere in the world.
Over 130 cyberattacks have been detected by Check Point Research (CPR) using a new multi-functional remote access trojan known as ToxicEye.
Working Mechanism
ToxicEye is distributed by phishing emails with a malicious .exe file. ToxicEye installs itself on the victim’s computer and executes a variety of exploits without the victim’s knowledge. These stealth functions include stealing data, deleting or transferring files, killing processes on the PC, hijacking the computer’s microphone and camera to record audio and video and lastly encrypting files for ransom purposes.
According to the report, hackers control ToxicEye via Telegram app, which communicates with the attacker’s C&C server and exfiltrates data to it. In other words, a hacker-controlled Telegram messaging account is used to monitor a victim’s device infected with the ToxicEye malware.
Infection Chain
To begin with, the hacker creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a unique remote account with which users can communicate via Telegram chat, add them to Telegram groups, or send requests directly from the input field by typing the bot’s Telegram username followed by a question.
The bot is installed inside the ToxicEye RAT configuration file and compiled into an executable file, for instance, experts discovered ‘paypal checker by saint.exe’. The Telegram bot, which connects the user’s computer to the attacker’s C&C via Telegram, can be used to attack any victim infected with this malicious payload.
Furthermore, this telegram rat can be downloaded and run by double-clicking on “enable content” in a malicious document called solution.doc found in phishing emails.
Various Functions
The Telegram RAT has various functions data stealing features in which passwords, device details, browser history, and cookies can all be found and stolen using the RAT. The other function file system control takes care of deleting and transferring files, as well as kill PC processes and take control of the task manager.
The I/O hijacking functions of the RAT can install a keylogger, record audio and video of the victim’s surroundings using the PC’s microphone and camera, or take over the clipboard’s contents. The ransomware features has the ability to encrypt and decrypt victim’s files.
Mitigation
The existence of a file named “rat.exe” inside the directory “C:\Users\ToxicEye\rat[.]exe”, according to Check Point, is an indicator of infection on computers.
When the Telegram app is not installed on the systems in question, researchers recommend that organisations should check the traffic generated from PCs to Telegram accounts.
When it comes to scrutinising emails, researchers advise being hyper-vigilant. Before communicating with an email that seems suspicious, recipients should always check the recipient line, according to Check Point. If no recipient is named, or if the recipient is unlisted or unknown, the email is most likely a phishing or malicious message.