Even if the app is not installed or in use, threat players can use it to spread malware through email campaigns & take over victims’ machines, new research has found.
Hackers are using the popular Telegram messaging app by embedding its code inside a remote access trojan (RAT) dubbed Toxic Eye, new research has found. A victim’s computer infected with the Toxic Eye malware is controlled via a hacker-operated Telegram messaging account.
The Toxic Eye malware can take over file systems, install ransomware & leak data from victim’s PCs, according to researchers at Check Point Software Technologies.
Check Point stated it tracked more than 130 cyber-attacks in the last 3 months that used Toxic Eye, which was being managed by threat players over Telegram. Attackers use the messaging service to communicate with their own server & exfiltrate data to it, according to a report published online Thurs.
Hackers are likely to have have targeted Telegram, which has more than 500m active users across the world, as their distribution platform because of its widespread use & popularity, explained Idan Sharabi, Research & Development Manager at Check Point.
Utilising This System
“We believe attackers are using the fact that Telegram is used & allowed in almost all organisations, utilising this system to perform cyber-attacks, which can bypass security restrictions,” he commented in a statement.
Researchers point out that Telegram—which is known as a secure private messaging service–has become even more popular during the pandemic & especially in recent months. That’s because of new privacy & data management policies instituted by WhatsApp raising concern among users & pushing them by the millions to alternative messaging platforms like Telegram.
This growing Telegram userbase has led to a corresponding surge by attackers hitting the Telegram platform with a flurry of common malware, researchers report. According to Check Point, dozens of “off-the-shelf” malware samples have also been spotted targeting Telegram users.
Researchers explained that Telegram is an ideal way to obscure such activity because it is not blocked by anti-virus protections & allows attackers to remain anonymous, requiring only a mobile phone number to sign up, researchers noted.
The app also allows attackers to easily exfiltrate data from victims’ PCs or transfer new malicious files to infected machines because of its communications infrastructure, & to do so remotely from any location in the world, they outlined.
The Telegram RAT attacks starts with threat players creating a Telegram account & a dedicated Telegram bot, or remote account that allows them to interact with other users in various ways–including to chat, add people to groups or send requests directly from the input field by typing the bot’s Telegram username & a query.
Attackers then bundle the bot token with the RAT or other chosen malware & spread the malware via email-based spam campaigns as an email attachment. For example, researchers observed attackers spreading malware via a file called “paypal checker by saint.exe,” they revealed.
When a victim opens the malicious attachment, it connects to Telegram & leaves the machine vulnerable to a remote attack via the Telegram bot, which uses the messaging service to connect the victim’s device back to that attacker’s command-&-control server, according to the report. Post-infection attackers gain full control over a victim’s machine & can engage in a range of nefarious activities; researchers stated.
In attacks that Check Point observed, the Toxic Eye RAT was used to locate & steal passwords, computer information, browser history & cookies from people’s devices; delete & transfer files or kill PC processes as well as take over a PC’s task manager; deploy a keylogger or record audio & video of the victim’s surroundings as well as steal clipboard contents; & use ransomware to encrypt & decrypt victims’ files.
Identification & Mitigation
Check Point said indication of infection on PCs is the presence of a file called “rat.exe” located within the directory C:\Users\ToxicEye\rat[.]exe.
Organisations also should monitor the traffic generated from PCs to Telegram accounts when the Telegram app is not installed on the systems in question, researchers observed.
Researchers encourage hyper-vigilance when it comes to scrutinising emails. Recipients need to always check the recipient line of an email that appears suspicious before engaging with it, Check Point warned.
If there is no recipient named or the recipient is unlisted or undisclosed, this likely indicates the email is a phishing or malicious message.