ToxicEye: the new malware that is controlled through Telegram bots

The new malware is defined as Remote Access Trojan (RAT), ToxicEye recently discovered by researchers of the CheckPoint group and which seems to rely on the bots of the well-known Telegram platform . In fact, since the beginning of the year, more than 130 attacks have been perpetrated using this technique and will probably be destined to increase given its simplicity.

There is no need to be stunned by the choice of Telegram as a vehicle to control the actions to be performed through the malware. On the other hand, Telegram is a lawful and very widespread messaging platform also in the business environment. Furthermore, the presence of applications for various environments, from telephones to desktop computers makes it extremely versatile and enriches the panorama of possible recipients.

What is a RAT and how is ToxicEye made?

A RAT is a type of Trojan that can be delivered to the victim in various ways (in this case through a spam campaign) that are apparently completely harmless. It is defined Remote Access because, in fact, it allows the administrative control of the computer by the attacker and therefore the execution of any action. Very often these trojans incorporate multiple functionalities and for ToxicEye among others there are:

  • Access to personal data, such as files containing passwords;
  • Deletion and transfer of documents;
  • Complete control over computer processes;
  • Camera access and microphone for remote control;
  • Disk encryption ransomware functionality in exchange for a ransom.
The attacker will be able to act behind the capabilities of Telegram, by controlling the ToxicEye client in the victim's machine.

To have all these functions a trojan needs a backdoor and works through a triple mechanism : a client (installed in the victim's machine), the Command and Control server (in this case a Telegram bot) and a scanner. The scanner, which is part of the client component, searches for any open ports on the computer to establish the connection with the Command and Control server.

However, being quite complex and dangerous to expose a control server on the network, in the case of ToxicEye, the malware contains a payload of the Telegram bot. In this way, the bot becomes in effect the command center but is conveyed by the Telegram servers and is completely lawful.

The chain of attack

The attack begins with the creation of an account on Telegram: the attacker only needs a phone number for registration. The bot created and made available on the platform will have a payload equal to that embedded in the executable to be installed on the victim machines.

The human component, however, is always extremely important because the installation of the malware will take place at the hands of the end user who, unaware of the file received, will execute it. The Trojan, in fact, can be delivered via a spam campaign as an attachment of any kind (from a Word document to a photograph). The quality of the email (in terms of its ability to reproduce an authentic one) will determine the success of the attack action.

Once the RAT is installed on the computer, the attacker will have full access to the machine and will be able to perform a set of actions through the Telegram bot .

An example of the functionality offered by the new ToxicEye malware via a Telegram bot (Source: CheckPoint).

How to defend ourselves against ToxicEye and identify it in time

In case we have been infected by the malicious program, we will be able to find the rat.exe executable on our computer in the C: Users ToxicEye folder. If we are victims of the attack and the computer was the company one, it is necessary to contact IT support as soon as possible to take corrective measures.

Naturally, the precautions we have often indicated in our articles apply:

  • We pay the utmost attention to incoming emails, especially when we do not know the sender;
  • Prudence in opening the attachments, if we are not sure of the authenticity we avoid accessing the contents of the attachments or use an antivirus program to analyze their goodness;
  • The language of the e-mail can be a wake-up call: incorrect spelling, vocabulary and syntax errors are synonymous with phishing e-mails;
  • We always keep our systems up to date and consider installing an antivirus program, of course with updated virus definitions.

In conclusion, ToxicEye adds to the plethora of malicious software available to attackers . In all of this, unfortunately, Telegram has gone from a messaging platform to an attack control tool. The hope is to be able to find systems capable of identifying user activity without monitoring them: a challenge for the future.

The article ToxicEye: the new malware that controls itself through Telegram bots comes from Tech CuE | Close-up Engineering .