Cyber threat actors are increasingly using and abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. Telegram is a cloud-based instant messaging and voice-over IP service. Telegram client apps are available for Android, iOS, Windows Phone, Windows NT, macOS, and Linux. Users can send messages and exchange photos, videos, stickers, audio, and files of any type. Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app. Researchers from cybersecurity firm Check Point, who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called "ToxicEye."
The ToxicEye RAT has several functions that you would expect this particular brand of malware to possess. This includes the ability to scan for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as the option for operators to transfer and delete files, kill PC processes and hijack task management. In addition, the malware can deploy keyloggers and is able to compromise microphones and camera peripherals to record audio and video. Ransomware traits, including the ability to encrypt and decrypt victim files, have also been detected by the researchers.
The use of Telegram for facilitating malicious activities is not new. In September 2019, an information stealer titled Masad Stealer was discovered to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Last year, Magecart groups embraced the same tactic to send stolen payment details from compromised websites back to the attackers.
The strategy also pays off in a few ways for cybercriminals. Telegram is not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, due to the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world.
The latest campaign spotted by Check Point is no different. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also employs a range of exploits that allows it to encrypt files for a ransom.
The attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "PayPal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe").
"We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations," Check Point R&D Group Manager stated. "We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber-attacks, which can bypass security restrictions. Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future," the researchers commented.
Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9+ years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings