Cybercriminals Use Telegram Messenger to Control ToxicEye Malware
Reading Time: 2 minutes

Cybercriminals Use Telegram messenger to control ToxicEye Malware, enabling them to capture sensitive information from the targeted systems.

According to researchers from cybersecurity firm Checkpoint, hackers are able to send malicious commands and operations remotely via Telegram Messenger. They are able to do this even when the messaging app is not installed on the system.

Checkpoint has discovered nearly 130 attacks in the last three months using the new multi-function remote access trojan (RAT) called ToxicEye.

Hackers have known to be using similar tactics back in September 2019, when Masad Stealer was used to looting information and cryptocurrency wallet data from infected systems via Telegram to extract information.

In another incident, Magecart groups used a similar modus operandi to steal payment details from compromised websites back to the hackers.

Why Cybercriminals Choose Telegram Messenger?

Telegram messenger is the weapon of choice as it is blocked by enterprise antivirus engines. It allows cybercriminals to remain anonymous, as users only require a mobile number to register themselves. This enables them to virtual access infected devices from any location in the world.

infection chain ToxicEye Malware
Infection Chain

ToxicEye Malware – CheckPoint Recent Findings

According to CheckPoint recent attacks are similar to the earlier ones. Attackers spread the malware via phishing emails embedded with malicious Windows executable file. Telegram messenger is used for communicating with the command and control server and uploading data to it. Using a number of exploits the malware is able to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer’s microphone and camera to record audio and video. It is also able to encrypt files for a ransom.

The attackers start the process by creating a Telegram bot embedded into the RAT’s configuration file before compiling it into an executable. The .EXE file is injected in a victim luring Word document such as “solution.doc”. When the victim opens the file it downloads and runs the Telegram RAT (“C:UsersToxicEyerat.exe”).
Idan Sharabi, CheckPoint R&D Group Manager said

We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations. We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyberattacks, which can bypass security restrictions.