Threat actors have begun to make use of the Tox peer-to-peer on the spot messaging service as a command-and-control methodology, marking a shift from its earlier function as a contact methodology for ransomware negotiations.
What is Tox ?
Tox is a serverless protocol for on-line communications that gives end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library (NaCl, pronounced “salt”) for encryption and authentication.
“The binary found in the wild is a stripped but dynamic executable, making decompilation easier,” researchers Siddharth Sharma and Nischay Hedge . “The whole binary seems to be written in C, and has solely statically linked the c-toxcore library.”
It’s value noting that c-toxcore is a reference implementation of the Tox protocol.
Additionally, the binary comes with capabilities to obtain completely different instructions via Tox, based mostly on which the shell script is up to date or will get executed on an ad-hoc foundation. An “exit” command issued quits the Tox connection.
Tox has been traditionally utilized by ransomware actors as a communication mechanism, however the newest improvement marks the primary time the protocol is getting used to run arbitrary scripts on an contaminated machine.
“While the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a coinminer campaign,” the researchers stated. “Therefore, it becomes important to monitor the network components involved in the attack chains.”