Telegram is used to control ToxicEye malware

Telegram is used to control ToxicEye malware

Check Point Research Team discovered that the Telegram messenger is used as the control server for the ToxicEye Remote Access Trojan (RAT). Even when Telegram is not installed or used, hackers manage to remotely transmit malware commands and perform operations through the application. Over the past three months, researchers have tracked more than 130 such cyberattacks.

ToxicEye operators distribute their malware, disguising it as email attachments. Having gained access to the victim’s system and its data, they also get the opportunity to install other malware on the device.

Typically, the attack takes place in the following way.

  • The attacker starts by creating an account and a special bot on Telegram.
  • The bot token is associated with the selected malware.
  • The malware then spreads via spam as an attachment. For example, one of these files identified by experts was called “PayPal Checker by saint.exe”.
  • Next, the potential victim opens a malicious attachment, and it connects to Telegram. Any device infected with ToxicEye can be attacked through a Telegram bot that connects the user to the attackers’ C&C server.
  • A hacker gains the ability to: manage files, including deleting them, steal data (for example, from the clipboard, passwords, computer information, browser history, and cookies), record audio and video, as well as encrypt files and install ransomware.
Telegram is used to control ToxicEye malware
Attack scheme

The researchers note that using Telegram is a very smart move, since Telegram is a legitimate and easy-to-use service that is usually not blocked by corporate anti-virus solutions. It also allows criminals to remain anonymous, as they only need a mobile phone number to register.

“We urge Telegram organizations and users to keep abreast of the latest phishing attacks and be highly suspicious of emails with a username or organization name embedded in the subject,” said Idan Sharabi, research and development manager at Check Point Software Technologies. “Given that Telegram can be used to distribute malicious files or as a control channel for malware, we expect attackers to continue to develop tools that use this platform in the future.”


ProApk on Google News
ProApk on Telegram
ProApk on Twitter
ProApk on Facebook