ToxicEye Remote Access Trojan Exploits Telegram For C&C

Home/Ransomware, Targeted Attacks/ToxicEye Remote Access Trojan Exploits Telegram For C&C

ToxicEye Remote Access Trojan Exploits Telegram For C&C

To steal data from victims and update itself to perform additional malicious activities — Telegram exploited by Remote Access Trojan

ToxicEye Trojan Exploits Telegram

Operators of a new Remote Access Trojan (RAT) are exploiting the Telegram service to maintain control of their malware.

Telegram is a communications channel and instant messaging service used by over 500 million monthly active users, where criminals are increasingly using Telegram for malware control, because it offers several advantages compared to conventional web-based malware administration.

However, recently Check Point Research (CPR) seen a new 130 attacks using a new multi-functional remote access trojan (RAT) dubbed ‘ToxicEye.

On the other hand, If the user opens the attachment, ToxicEye on installing on the victim’s PC and performs a range of exploits including

  • Stealing data
  • Deleting or transferring files
  • Killing processes on the PC
  • Hijacking the PC’s microphone and camera to record audio and video
  • Encrypting files for ransom purposes

and more withoud the victim’s knowledge.

ToxicEye – Infection Chain

The attack chain begins with ToxicEye operators creating a Telegram account and a bot. 

A Telegram bot account is a special remote account with which:

  • users can interact by Telegram chat
  • or by adding them to Telegram groups
  • or by sending requests directly from the input field by typing the bot’s Telegram username and a query.

Certainly, the bot is embedded into the ToxicEye configuration file and compiled into an executable file – paypal checker by saint.exe

Any victim infected with this payload can be attacked via the Telegram bot which connects user’s device back to the attacker’s C&C via Telegram.

In addition, this telegram rat can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”

Source – CheckPoint

RAT Trojan Functionality

Obviously, every RAT using this method has its own functionality, according to researchers below are the key capabilities:

  • Data stealing features – the RAT can locate and steal passwords, computer information, browser history and cookies.
  • File system control – Deleting and transferring files, or killing PC processes and taking over the PC’s task manager.
  • I/O hijacking – the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via the PC’s microphone and camera, or hijack the contents of the clipboard.
  • Also, Ransomware features – the ability to encrypt and decrypt victim’s files.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Trojan Identification

To spot if you have been infected:

  • Search for a file called C:\Users\ToxicEye\rat.exe 
  • Monitor the traffic generated from PCs in your organization to a Telegram C&C 
  • Beware of attachments containing usernames
  • Undisclosed or unlisted recipient(s)
  • Always note the language in the email
  • Deploy an automated anti-phishing solution

Indicators Of Compromise

Telegram RAT projectSamples (sha1)Protection
Telegram Rat 2020173542ba9f3a6b6da172572668b8d105f16eef48
Toxic eye 20202f452f001efd48f76a67c2f880d926e040775048
RAT.Win.ToxicEye.A RAT.Wins.ToxicEye.B
Rat via Telegram 201911cb873cfea6055966ddf78bd3e0c1194586ddacRAT.Win.TelegramRat.B
Teleshadow3 201975f737f1291552a5d44204d30809831e2c29e44fRAT.Win.TelegramRat.C
MASAD 201742c30dc551a3cb3bc935c0eae79b79f17942e439RAT.Win.ChatC2.A
By | 2021-04-23T22:13:37+05:30 April 23rd, 2021|Ransomware, Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!