Telegram is a handy chat application. Even malware creators think so! ToxicEye is a RAT malware that overlays Telegram’s network, communicating with its creators through the popular chat service.
Malware that catches Telegram
In early 2021, many users left WhatsApp for messaging apps promising better data security after the company announced it would share user metadata with Facebook by default. Many of these people have turned to competing Telegram and Signal apps.
Telegram was the most downloaded app, with more than 63 million installations in January 2021, according to Sensor Tower. Telegram chats aren’t end-to-end encrypted like Signal chats, and now Telegram has another problem: malware.
Check Point Software Company recently discovered that bad actors are using Telegram as a communication channel for a malicious program called ToxicEye. It turns out that some of Telegram’s features can be used by attackers to communicate with their malware more easily than through web tools. Now they can play with infected computers through a convenient Telegram chatbot.
What is ToxicEye and how does it work?
ToxicEye is a type of malware called a Remote Access Trojan (RAT). RATs can give an attacker remote control of an infected machine, which means they can:
- steal data from the host computer.
- delete or transfer files.
- kill the processes running on the infected computer.
- hijack the computer’s microphone and camera to record audio and video without the user’s consent or knowledge.
- encrypt files to extort ransom from users.
The ToxicEye RAT is spread via a phishing system where a target receives an email with an embedded EXE file. If the targeted user opens the file, the program installs the malware on their device.
RATs are similar to remote access programs that, for example, a tech support person might use to take control of your computer and troubleshoot a problem. But these programs sneak around without permission. They can imitate or be hidden with legitimate files, often disguised as a document or embedded in a larger file like a video game.
How attackers use Telegram to control malware
As early as 2017, attackers used Telegram to remotely control malware. A notable example of this is the Masad Stealer Program who emptied the victims’ crypto wallets that year.
Check Point researcher Omer Hofman said the company found 130 ToxicEye attacks using this method between February and April 2021, and there are a few things that make Telegram useful for bad actors who spread malware.
On the one hand, Telegram is not blocked by firewall software. It is also not blocked by network management tools. It’s an easy-to-use app that many people recognize as legitimate and so let their guard down.
Signing up for Telegram only requires a cell phone number, so attackers can remain anonymous. It also allows them to attack devices from their mobile device which means they can launch a cyber attack from anywhere. Anonymity makes attributing attacks to someone – and stopping them – extremely difficult.
The chain of infection
Here’s how the ToxicEye infection chain works:
- The attacker first creates a Telegram account and then a Telegram “bot”, which can perform actions remotely through the app.
- This bot token is embedded in malicious source code.
- This malicious code is sent as spam, which is often disguised as something legitimate that the user can click.
- The attachment opens, installs itself on the host computer, and sends the information back to the attacker’s command center through the Telegram bot.
Since this RAT is sent via spam email, you don’t even have to be a Telegram user to get infected.
If you think you have downloaded ToxicEye, Check Point advises users to search for the following file on your PC: C: Users ToxicEye rat.exe
If you find it on a work computer, delete the file from your system and contact your support department immediately. If it is a personal device, delete the file and immediately run a virus scan.
At the time of writing, at the end of April 2021, these attacks have only been discovered on Windows PCs. If you haven’t installed a good antivirus program yet, now is the time to get it.
Other proven tips for good ‘digital hygiene’ also apply, such as:
- Do not open attachments that appear suspicious and / or come from unknown senders.
- Watch out for attachments that contain usernames. Malicious emails often include your username in the subject line or the name of an attachment.
- If the email tries to sound urgent, threatening, or authoritative and forces you to click on a link / attachment or give out sensitive information, it’s likely malicious.
- Use anti-phishing software if you can.
The Masad Stealer code was made available on Github following the 2017 attacks. Check Point says this has led to the development of a host of other malware, including ToxicEye:
“Since Masad became available on hacking forums, dozens of new types of malware that use Telegram to [command and control] and exploit Telegram functionality for malicious activity, have been found as “standard” weapons in the hacking tool repositories on GitHub. “
Companies using the software would do well to consider moving on or blocking it on their networks until Telegram implements a solution to block this distribution channel.
In the meantime, individual users should keep their eyes open, be aware of the risks, and regularly check their systems for threats – and perhaps consider switching to Signal instead.