Turning Telegram Toxic: New ‘ToxicEye’ RAT is the Latest to use Telegram for Command & Control

New remote access trojan exploits Telegram communications to steal data from victims and update itself to perform additional malicious activities

Research by: Omar Hofman

Telegram, the cloud-based IM platform has enjoyed a surge in popularity this year because of controversial changes to its rival, WhatsApp’s privacy settings.  Telegram was the most downloaded app worldwide for January 2021 with more than 63 million installs, and has surpassed 500 million monthly active users.  This popularity also extends to the cyber-criminal community.  Malware authors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious products, because it offers several advantages compared to conventional web-based malware administration.  

In this blog, we’ll explore why criminals are increasingly using Telegram for malware control, using the example of a new malware variant called ‘ToxicEye’ that we have recently observed in the wild.

Why hackers are turning to Telegram for malware control

The first use of Telegram as the C&C infrastructure for malware was the ‘Masad’ info-stealer back in 2017.  The criminals behind Masad realized that using a popular IM service as an integral part of their attacks gave them a number of operational benefits: 

• Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools
• Attackers can remain anonymous as the registration process requires only a mobile number
• The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
• Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.

Since Masad became available on hacking forums, dozens of new types of malware that use Telegram for C&C and exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool repositories in GitHub.

Idan Sharabi, R&D Group Manager at Check Point Software Technologies says, “We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command & control system for malware distribution into organizations. This system allows the malware used to receive future commands and operations remotely using the service of Telegram, even if Telegram is not installed or used. The malware that hackers used here is easily found on easily accessible places like Github. We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform  cyber attacks, which can bypass security restrictions. We strongly urge organizations and Telegram users to be aware of malicious emails and to be more suspicious with emails that embed their username in the subject, or emails with broken language. Given that Telegram can be used to distribute malicious files, or as a command and control channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”

How to spot if you’ve been infected and tips to remain protected

• Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system. 

• Monitor the traffic generated from PCs in your organization to a Telegram C&C – if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise

• Beware of attachments containing usernames – malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails:  delete such emails, and never open the attachment nor reply to the sender.

• Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and / or a phishing email.

• Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.

• Deploy an automated anti-phishing solution – Minimizing the risk of phishing attacks to the organization requires AI-based anti-phishing software capable of identifying and blocking phishing content across all of the organization’s communication services (email, productivity applications, etc.) and platforms (employee workstations, mobile devices, etc.). This comprehensive coverage is necessary since phishing content can come over any medium, and employees may be more vulnerable to attacks when using mobile devices. Check Point email security solution will help you prevent the most sophisticated phishing and social engineering attacks, before they reach users.