Telegram is a convenient chat app. Even malware creators think so! ToxicEye is a RAT malware program that piggybacks on Telegram’s network, communicating with its creators through the popular chat service.
Malware That Chats on Telegram
Early in 2021, scores of users left WhatsApp for messaging apps promising better data security after the company’s announcement that it would share user metadata with Facebook by default. A lot of those people went to competing apps Telegram and Signal.
Telegram was the most downloaded app, with over 63 million installations in January of 2021, according to Sensor Tower. Telegram chats aren’t end-to-end encrypted like Signal chats, and now, Telegram has another problem: malware.
Software company Check Point recently discovered that bad actors are using Telegram as a communication channel for a malware program called ToxicEye. It turns out that some of Telegram’s features can be used by attackers to communicate with their malware more easily than through web-based tools. Now, they can mess with infected computers via a convenient Telegram chatbot.
What Is ToxicEye, and How Does It Work?
ToxicEye is a type of malware called a remote access trojan (RAT). RATs can give an attacker control of an infected machine remotely, meaning that they can:
- steal data from the host computer.
- delete or transfer files.
- kill processes running on the infected computer.
- hijack the computer’s microphone and camera to record audio and video without the user’s consent or knowledge.
- encrypt files to extort a ransom from users.
The ToxicEye RAT is spread via a phishing scheme where a target is sent an email with an embedded EXE file. If the targeted user opens the file, the program installs the malware on their device.
RATs are similar to the remote access programs that, say, someone in tech support might use to take command of your computer and fix a problem. But these programs sneak in without permission. They can mimic or be hidden with legitimate files, often disguised as a document or embedded in a larger file like a video game.
How Attackers Are Using Telegram to Control Malware
As early as 2017, attackers have been using Telegram to control malicious software from a distance. One notable example of this is the Masad Stealer program that emptied victims’ crypto wallets that year.
Check Point researcher Omer Hofman says that the company has found 130 ToxicEye attacks using this method from February to April of 2021, and there are a few things that make Telegram useful to bad actors who spread malware.
For one thing, Telegram isn’t blocked by firewall software. It also isn’t blocked by network management tools. It’s an easy-to-use app that many people recognize as legitimate, and thus, let their guard down around.
Registering for Telegram only requires a mobile number, so attackers can remain anonymous. It also lets them attack devices from their mobile device, meaning that they can launch a cyberattack from just about anywhere. Anonymity makes attributing the attacks to someone—and stopping them—extremely difficult.
The Infection Chain
Here’s how the ToxicEye infection chain works:
- The attacker first creates a Telegram account and then a Telegram “bot,” which can carry out actions remotely through the app.
- That bot token is inserted into malicious source code.
- That malicious code is sent out as email spam, which is often disguised as something legitimate that the user might click on.
- The attachment gets opened, installs on the host computer, and sends information back to the attacker’s command center via the Telegram bot.
Because this RAT is sent out via spam email, you don’t even have to be a Telegram user to get infected.
If you think that you might have downloaded ToxicEye, Check Point advises users to check for the following file on your PC: C:UsersToxicEyerat.exe
If you find it on a work computer, erase the file from your system and contact your help desk immediately. If it’s on a personal device, erase the file and run an antivirus software scan right away.
At the time of writing, as of late April 2021, these attacks have only been discovered on Windows PCs. If you don’t already have a good antivirus program installed, now’s the time to get it.
Other tried-and-true advice for good “digital hygiene” also applies, like:
- Don’t open email attachments that look suspicious and/or are from unfamiliar senders.
- Be careful of attachments that contain usernames. Malicious emails will often include your username in the subject line or an attachment name.
- If the email is trying to sound urgent, threatening, or authoritative and pressures you to click on a link/attachment or give sensitive information, it’s probably malicious.
- Use anti-phishing software if you can.
The Masad Stealer code was made available on Github following the 2017 attacks. Check Point says that has led to the development of a host of other malicious programs, including ToxicEye:
“Since Masad became available on hacking forums, dozens of new types of malware that use Telegram for [command and control] and exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool repositories in GitHub.”
Companies that use the software would do well to consider switching to something else or blocking it on their networks until Telegram implements a solution to block this distribution channel.
In the meantime, individual users should keep their eyes peeled, be aware of the risks, and check their systems regularly to root out threats—and maybe consider switching to Signal instead.