ToxicEye RAT

Researchers at Check Point Software Technologies found that hackers are leveraging the popular Telegram messaging app by embedding its code inside a remote access trojan (RAT) which is also known as ToxicEye.

Telegram is the most downloaded app worldwide for January 2021 with more than 63 million installs and has exceeded 500 million monthly active users.  This popularity also extends to the cyber-criminal community. 

A victim’s computer infected with the ToxicEye malware is controlled via a hacker-operated Telegram messaging account.

Researchers said Telegram is an ideal way to obscure such activity because it isn’t blocked by anti-virus protections and allows attackers to remain anonymous, requiring only a mobile phone number to sign up, researchers noted.

The app also allows attackers to easily exfiltrate data from victims’ PCs or transfer new malicious files to infected machines because of its communications infrastructure, and to do so remotely from any location in the world, they said.

ToxicEye RAT

Check Point Research (CPR) has observed over 130 attacks using a new multi-functional remote access trojan (RAT) dubbed ‘ToxicEye.’

ToxicEye is spread via phishing emails containing a malicious .exe file.  If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge, including:

  1. stealing data
  2. deleting or transferring files
  3. killing processes on the PC
  4. hijacking the PC’s microphone and camera to record audio and video
  5. encrypting files for ransom purposes

The report says ToxicEye is managed by attackers over Telegram, communicating with the attacker’s C&C server and exfiltrating data to it.

ToxicEye’s Infection Chain

The attacker first creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.

The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name experts found was ‘paypal checker by saint.exe’).

Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.

The ToxicEye Infection Chain

Further, this telegram rat can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”

Telegram RAT Functionality

  • Data stealing features – the RAT can locate and steal passwords, computer information, browser history and cookies.
  • File system control – Deleting and transferring files, or killing PC processes and taking over the PC’s task manager.
  • I/O hijacking – the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via the PC’s microphone and camera, or hijack the contents of the clipboard.
  • Ransomware features – the ability to encrypt and decrypt victim’s files.

Identification and Mitigation

Check Point said indication of infection on PCs is the presence of a file called “rat.exe” located within the directory C:\Users\ToxicEye\rat[.]exe.

Organizations also should monitor the traffic generated from PCs to Telegram accounts when the Telegram app is not installed on the systems in question, researchers said.

Researchers encourage hyper-vigilance when it comes to scrutinizing emails. Recipients need to always check the recipient line of an email that appears suspicious before engaging with it, Check Point said. If there is no recipient named or the recipient is unlisted or undisclosed, this likely indicates the email is a phishing or malicious message.

Check Point Research concludes by saying “Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”

Also Read

What is Cyber Terrorism and Ways to Protect Yourself from Cyberattacks?

Beware of a New Malware Campaign that Hides Malicious code within BMP Image

Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Facebook Linkedin