Operators of a new Remote Access Trojan (RAT) are exploiting Telegram to maintain control of their malware and infect victims’ machines. Dubbed ToxicEye by Check Point Research, the RAT can propagate across Telegram channels using bots, has ransomware traits, and uses Telegram as part of command-and-control (C2) infrastructure. Its operators’ goal is data theft.
The new remote malware has been observed in the wild by Omer Hofman from Check Point Research. He said in a blog post on Tuesday that ToxicEye is responsible for over 130 attacks in the past three months.
Telegram has over 500 million monthly active users is an attractive hunting ground for cybercriminals using the service as a launching pad for spreading and deploying malware.
To conduct their campaign, ToxicEye operators created a fake Telegram account and a bot using which they targeted victims for malicious purposes.
“Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C2 via Telegram,” the researchers say.
Following an interaction with the bot, victims received phishing emails with infected document attachments. If a victim initiated a download the subsequent malicious .exe file downloads ToxicEye which is then deployed.
The ToxicEye RAT has the capability to scan for and steal credentials, computer OS data, browser history, clipboard content, and cookies. Its operators can transfer and delete files, kill PC processes and take control over task management. ToxicEye has keylogging functionality, can compromise microphones and camera and record audio and video. Besides that, it can encrypt and decrypt victim files, thus it can be used as ransomware, according to the researchers.
To detect ToxicEye in the system, researchers advise searching for “C:\Users\ToxicEye\rat.exe,” if found, victims should immediately remove the file.
“Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” the researchers concluded.