Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies, has warned of a growing cyber threat in which Telegram is being used by malware authors used as a ready-made command and control (C&C) system for their malicious products, because it offers several advantages compared to conventional web-based malware administration.
Telegram, the cloud-based instant messaging platform with more than 500 million monthly active users, has risen in popularity this year because of controversial changes to its rival, WhatsApp’s privacy settings. It was the most downloaded application worldwide for January 2021, with more than 63 million installs, and has surpassed 500 million monthly active users.
Over the past three months, Check Point Research (CPR) has seen over 130 attacks using a new multi-functional remote access trojan (RAT) dubbed ‘ToxicEye.’
ToxicEye is spread via phishing emails containing a malicious .exe file. If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge,
Dangers of the Telegram RAT
Every RAT using this method has its own functionality, but CPR was able to identify a number of key capabilities that characterize most of the recent attacks CPR observed:
• Data stealing features – the RAT can locate and steal passwords, computer information, browser history and cookies.
• File system control – Deleting and transferring files, or killing PC processes and taking over the PC’s task manager.
• I/O hijacking – the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via the PC’s microphone and camera, or hijack the contents of the clipboard.
• Ransomware features – the ability to encrypt and decrypt victim’s files.
ToxicEye’s infection chain
Creation of a Telegram account and a “Telegram” bot. A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.
The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name was ‘paypal checker by saint.exe’).
Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.
In addition, this telegram rat can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”
Why Cybercriminals Target Telegram
The first use of Telegram as the C&C infrastructure for malware was the ‘Masad’ info-stealer back in 2017. The criminals behind Masad realized that using a popular IM service as an integral part of their attacks gave them a number of operational benefits:
• Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools
• Attackers can remain anonymous as the registration process requires only a mobile number
• The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
• Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.
Safety and inspection tips
1. Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system.
2. Monitor the traffic generated from PCs in your organization to a Telegram C&C – if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise
3. Beware of attachments containing usernames – malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and never open the attachment nor reply to the sender.
4. Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and / or a phishing email.
5. Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
6. Deploy an automated anti-phishing solution – Minimizing the risk of phishing attacks to the organization requires AI-based anti-phishing software capable of identifying and blocking phishing content across all of the organization’s communication services (email, productivity applications, etc.) and platforms (employee workstations, mobile devices, etc.).
This comprehensive coverage is necessary since phishing content can come over any medium, and employees may be more vulnerable to attacks when using mobile devices. Check Point email security solution will help you prevent the most sophisticated phishing and social engineering attacks, before they reach users.