Threat Actors Utilizing Telegram Platform to Spread “ToxicEye” Malware


Monday, April 26th, 2021 | , ,

Threat Actors Utilizing Telegram Platform to Spread “ToxicEye” Malware

Hackers are leveraging the popular Telegram messaging app by embedding its code inside a remote access trojan named ToxicEye, researchers have found. A victim’s computer infected with the ToxicEye malware is controlled via a hacker-operated Telegram messaging account. The ToxicEye malware can take over file systems, install ransomware and leak data from victim’s PCs, according to researchers at Check Point Software Technologies.

Check Point said it tracked more than 130 cyberattacks in the last three months that leveraged ToxicEye, which was being managed by threat actors over Telegram. Attackers use the messaging service to communicate with their own server and exfiltrate data to it, according to a report published online. Hackers are likely have targeted Telegram, which has more than 500 million active users across the world, as their distribution platform because of its widespread use and popularity.

Researcher point out that Telegram—which is known as a secure and private messaging service–has become even more popular during the pandemic and especially in recent months. That’s because of new privacy and data management policies instituted by WhatsApp raising concern among users and pushing them by the millions to alternative messaging platforms like Telegram.

This growing Telegram userbase has led to a corresponding surge by attackers pelting the Telegram platform with a slew of common malware, researchers report. According to Check Point, dozens of “off-the-shelf” malware samples have also been spotted targeting Telegram users. Researchers said Telegram is an ideal way to obscure such activity because it isn’t blocked by anti-virus protections and allows attackers to remain anonymous, requiring only a mobile phone number to sign up, researchers noted. The app also allows attackers to easily exfiltrate data from victims’ PCs or transfer new malicious files to infected machines because of its communications infrastructure, and to do so remotely from any location in the world, they said.

Check Point said indication of infection on PCs is the presence of a file called “rat.exe” located within the directory C:\Users\ToxicEye\rat[.]exe.

Organizations also should monitor the traffic generated from PCs to Telegram accounts when the Telegram app is not installed on the systems in question, researchers said. Researchers encourage hyper-vigilance when it comes to scrutinizing emails. Recipients need to always check the recipient line of an email that appears suspicious before engaging with it, Check Point said. If there is no recipient named or the recipient is unlisted or undisclosed, this likely indicates the email is a phishing or malicious message.

Further Reading:

ToxicEye (GitHub)

Check Point Research

Share this: