Research by: Omar Hofman
Telegram, the cloud-based IM platform has enjoyed a surge in popularity this year because of controversial changes to its rival, WhatsApp’s privacy settings. Telegram was the most downloaded app worldwide for January 2021 with more than 63 million installs, and has surpassed 500 million monthly active users. This popularity also extends to the cyber-criminal community. Malware authors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious products, because it offers several advantages compared to conventional web-based malware administration.
In this blog, we’ll explore why criminals are increasingly using Telegram for malware control, using the example of a new malware variant called ‘ToxicEye’ that we have recently observed in the wild.
Why hackers are turning to Telegram for malware control
The first use of Telegram as the C&C infrastructure for malware was the ‘Masad’ info-stealer back in 2017. The criminals behind Masad realized that using a popular IM service as an integral part of their attacks gave them a number of operational benefits:
- Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools
- Attackers can remain anonymous as the registration process requires only a mobile number
- The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
- Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.
Since Masad became available on hacking forums, dozens of new types of malware that use Telegram for C&C and exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool repositories in GitHub.
ToxicEye, a new remote access trojan
Over the past three months, Check Point Research (CPR) has seen over 130 attacks using a new multi-functional remote access trojan (RAT) dubbed ‘ToxicEye.’ ToxicEye is spread via phishing emails containing a malicious .exe file. If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge, including:
- Stealing data
- Deleting or transferring files
- Killing processes on the PC
- hijacking the PC’s microphone and camera to record audio and video
- encrypting files for ransom purposes
ToxicEye is managed by attackers over Telegram, communicating with the attacker’s C&C server and exfiltrating data to it.
ToxicEye’s infection chain
The attacker first creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.
The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’).
Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.
In addition, this telegram rat can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”
Telegram RAT functionality
Obviously, every RAT using this method has its own functionality, but we were able to identify a number of key capabilities that characterize most of the recent attacks we observed:
- Data stealing features – the RAT can locate and steal passwords, computer information, browser history and cookies.
- File system control – Deleting and transferring files, or killing PC processes and taking over the PC’s task manager.
- I/O hijacking – the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via the PC’s microphone and camera, or hijack the contents of the clipboard.
- Ransomware features – the ability to encrypt and decrypt victim’s files.
How to spot if you’ve been infected and tips to remain protected
- Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system.
- Monitor the traffic generated from PCs in your organization to a Telegram C&C – if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise
- Beware of attachments containing usernames – malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and never open the attachment nor reply to the sender.
- Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and / or a phishing email.
- Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
- Deploy an automated anti-phishing solution – Minimizing the risk of phishing attacks to the organization requires AI-based anti-phishing software capable of identifying and blocking phishing content across all of the organization’s communication services (email, productivity applications, etc.) and platforms (employee workstations, mobile devices, etc.). This comprehensive coverage is necessary since phishing content can come over any medium, and employees may be more vulnerable to attacks when using mobile devices. Check Point email security solution will help you prevent the most sophisticated phishing and social engineering attacks, before they reach users.
The developers who publish these tools disguise their true purpose by defining them as
“Remote Administration Tool” or “for educational purpose only”, although some of
their characteristics are often found in malicious Trojans.
Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.