Researchers have uncovered a new malware variant, called ToxicEye, which has both data exfiltration and ransomware capabilities, and relies on the Telegram messaging platform for command-and-control (C2) communications.
While ToxicEye is not the first malware family to utilize Telegram for C2 communications, researchers with Check Point Research in a Thursday report said that cybercriminals are increasingly turning to the popular chat service as a "ready-made" C2 system for their malware.
“Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” said Omer Hofman, malware analyst at Check Point.
Kobi Eisenkraft, team lead for Malware Research and Protection with Check Point, said researchers have seen over 130 attacks delivering ToxicEye over the last three months. He said, no further information about the victimology, or the specific lures utilized, is available.
The attacks start with spear-phishing emails that contain a malicious .exe file. Once users open the attachment, the remote access trojan (RAT) is installed and proceeds to perform a range of malicious actions. These include stealing data, deleting or transferring files, killing processes, hijacking the PC’s microphone and camera in order to record video and audio, and encrypting files for ransom purposes.
In order to build the Telegram-based C2 behind the malware, ToxicEye’s authors leveraged a Telegram account and a Telegram bot account. Telegram bot accounts, which are created by third-party developers via a bot API and platform offered up by Telegram, can be sent by Telegram users through links (consisting of the bot’s Telegram username and query) in a chat. When a user opens the link, it triggers the bot's functionality, which may range from launching polls to generating an image.
Malware authors have historically abused this feature by building the bot API token - which is a legitimate part of the bot and is embedded in all messages - into the malware. This allows them to interact with the malware and send commands after a victim has been infected.
“The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’),” said researchers. “Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.”
“Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future."
Telegram, which was the most downloaded app worldwide in January with more than 63 million installs - and has surpassed 500 million monthly active users - provides attackers with several advantages compared to conventional web-based malware administration, said researchers. Telegram is a legitimate and easy-to-use service that isn’t blocked by antivirus engines or network management tools. Attackers can also remain anonymous during the registration process as it requires only a mobile number. Telegram’s communications features also enable attackers to easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines, said researchers.
Various other RATs have utilized Telegram for malware C2 infrastructure, including the TeleRAT malware discovered in 2018 and the Masad malware found in 2019.
“Since Masad became available on hacking forums, dozens of new types of malware that use Telegram for C&C and exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool repositories in GitHub,” said researchers.
Beyond Telegram, Check Point’s Eisenkraft noted that other legitimate communications platforms have also previously been utilized as C2 command centers for malware. For instance, several malware campaigns have used Discord for C2 communication, such as the Epsilon ransomware, various data-stealer trojans and the XMRrig cryptominer, according to a February report by Zscaler ThreatLabZ researchers. In 2019, a remote access tool called Slackor was also discovered utilizing Slack as a C2 channel.
Researchers say end users can protect themselves from ToxicEye attacks by searching for a file called C:\Users\ToxicEye\rat.exe on their devices. In addition, businesses should monitor the traffic generated from PCs in their organization for communications with a Telegram C2, and be wary of suspicious emails with attachments.
“If this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system,” said Hofman.