Telegram has been infiltrated by a dangerous trojan called ToxicEye RAT. Cyber security researchers say the ToxicEye attack can hack remote control systems, steal data, and install ransomware.
Omer Hofman, a security researcher from Check Point Research, said the malware had been researched for a long time. There have been more than 130 recorded attacks in the last three months.
Quoted from ZDNet, the chain of attacks started with the way the ToxicEye RAT operator created a Telegram account and a bot. Furthermore, bots are used for a variety of functions including reminders, searches, issue commands, and to launch polls.
This account gives them the opportunity to connect with other users on Telegram through conversations, add people to groups, or send requests by entering the bot’s Telegram username. In this case, the bot is embedded in the malware configuration to target the victim.
“Any victim infected with this malicious payload can be attacked via the Telegram bot, which reconnects the user’s device to the attacker via Telegram,” the researchers said.
Next, they combine the bot token with ToxicEye RAT or other malware and send it in an email attachment. For example, the name of a malware-infected attachment is ‘paypal checker by saint.exe’.
When the user opens the email, they will be directed to a system connected to the hacker’s Telegram account and a link to a malicious channel that has been set up.
ToxicEye RAT has the ability to scan and steal credentials, computer OS data, browser history, clipboard content, cookies, options for operators to transfer and delete files, kill PC processes, and hijack task management.
In addition, this malware can also spread keyloggers and is able to infiltrate microphones and camera peripherals to record audio and video. Other features of ransomware, including the ability to encrypt and decrypt victim files, have also been detected in the ToxicEye RAT.
If you suspect an infection from this trojan, search for “C: Users ToxicEye rat.exe.” This detection method applies to both individual and corporate use, and if found, the file should be deleted immediately from the system.
“Given that Telegram can be used to distribute malicious files, or as a C2 conduit for remote controlled malware, we fully hope that additional tools exploiting this platform will continue to be developed in the future,” comment the researchers.