In early 2021, dozens of users ditched WhatsApp in favor of other messaging apps that promised better data security, following the company's announcement that it would share user metadata with Facebook by default. Many of these users have thus decided to rely on competing apps, such as Telegram and Signal.Telegram was undoubtedly the most downloaded app, with over 63 million installations in January 2021.
Software company Check Point recently discovered that some malicious groups are using Telegram as a communication channel for a malware program called ToxicEye. It turns out that some of Telegram's features can be used by attackers to communicate with their malware more easily than through web-based tools. Hackers can now enter infected computers via a convenient Telegram chatbot.
What is ToxicEye and how does it work?
ToxicEye is remote access trojan-type malware (abbreviated to RAT). RATs can provide an attacker with control of an infected machine remotely, which means they can:
The ToxicEye RAT is spread via a phishing scheme. An email with an embedded EXE file is sent to a recipient. If the user opens the file, the program installs the malware on the device.
RATs are similar to remote access programs that, for example, technical support agents use to take command of your computer and troubleshoot a problem. The difference is that these programs sneak in without permission. They can mimic legitimate files or be hidden, often disguised as documents or embedded in a larger file such as a video game.
How do hackers use Telegram to control malware?
Back in 2017, hackers were using Telegram to remotely control malicious software. An example of this is the Masad Stealer program that emptied the victims' crypto wallets that year.
Check Point researcher Omer Hofman says the company detected 130 ToxicEye attacks using this method from February to April 2021.
For one thing, Telegram is not blocked by firewall software or network management tools. It is an easy to use app that many people recognize as legitimate and thus let their guard down.
Signing up for Telegram for the first time only requires a mobile number, so attackers can remain anonymous. It also allows them to attack devices from their mobile device, which means they can launch a cyber attack from anywhere. Anonymity makes it extremely difficult to attribute attacks to someone and stop them.
The chain of infections
Here's how the ToxicEye chain of infection works:
Offers FASTWEBFastwebNeXXt Mobile7.95 € per month until 09/01 90 GB 4 GB in EU and Switzerland Unlimited MIN 500 min in EU and Switzerland Discover our MOBILE offer without restrictions and without hidden costsmore1. The attacker first creates a Telegram account and then a Telegram "bot", which can perform actions remotely via the app. 2. The bot token is inserted into the malicious source code. 3. This malicious code is sent as spam e-mail, often disguised as something legitimate that the user could click. 4. The attachment is opened, installed on the host computer, and sends the information to the attacker's command center via the Telegram bot.
As this RAT is sent through spam emails, you don't even need to be a Telegram user, to get infected.
How to stay safe?
If you think you have downloaded ToxicEye, Check Point recommends checking the following file on your PC: C: \ Users \ ToxicEye \ rat.exe
If you find it on a work computer, delete the file from the system and contact your help desk immediately. If it is on a personal device, delete the file and immediately scan the anti-virus software.
At the time of writing, in late April 2021, these attacks have only been discovered on Windows PCs. If you haven't already installed a good antivirus program, now is the time to download it.
Other proven tips for good "digital hygiene" also apply, such as:
The Masad Stealer code was made available on Github following the 2017 attacks. Check Point claims that it led to the development of a number of other malicious programs, including ToxicEye:
“Since Masad became available on hacking forums, dozens of new types of malware that use Telegram for command and control and exploit Telegram's capabilities for malicious activity have been found as" ready-to-use "weapons in tool repositories. hacking on GitHub. "
Companies using the software would do well to consider switching to something else or blocking it on their networks until Telegram implements a solution to block this distribution channel.
In the meantime, individual users should keep their eyes open, be aware of the risks and regularly check their systems to root out threats and perhaps consider switching to Signal.