Check Point researchers identified more than 130
cyber attacks using a Remote Access Trojan called ToxicEye. This malware is
managed by cybercriminals through Telegram messenger app.
As per Check Point Research, there is a new trend of
attack among cybercriminals, where Telegram is used as a control-and-command
system to spread malware even popular application is not installed or is not
used, the system allows attackers to send malicious commands and operations
remotely.
Check Point Research explained that they identified
more than 130 cyber attacks that resorted to a Remote Access Trojan (RAT)
called ToxicEye, communicating with their servers and sending all the data
collected there.
ToxicEye is spread via phishing emails embedded with malicious .exe files. Once it open by victim, these
files start installing the malware on the it's equipment and increase a series
of operations that go undetected.
The
Malware can execute the range of exploits without the victim’s knowledge:
- ·
Data theft
- · Delete or transfer files
- · Encrypt files for a ransom (Ransomware)
- ·
Remote control and I/O hijacking
- ·
Installation of a Keylogger
- · Hijack the computer's microphone
and camera to record audio and video from the computer.
How This Attack Infection Chain Works -
The researcher mentioned “ The attacker first creates a Telegram account and a Telegram
‘bot.’ A Telegram bot account is a special remote account with which users can
interact by Telegram chat or by adding them to Telegram groups, or by sending
requests directly from the input field by typing the bot’s Telegram username
and a query.”
Attacker embeds The Telegram bot into the ToxicEye RAT configuration file then compile into an executable file and this executable file (.exe) can be injected into a Word document also. When victim open this doc file or email , this .exe get installed into this computer and make the same infected. Now victim’s computer can be attacked via the Telegram bot and attackers control this system.
Cybercriminals find Telegram as an essential part of their attacks and it allows attackers to remain anonymous as the registration process only requires a mobile number, The messaging app Telegram is not blocked by antivirus solutions or network security tools.
Attackers can easily extract data
from users equipment or transfer new malicious files to infected devices. Hackers
can use their mobile phone to access infected computers from any location in
the world.
Identify if your system is compromised and tips to strengthen security
- Search for RAT file - First of all you should search your computer for the file (rat.exe) in location (without quotes): “C: \ Users \ ToxicEye \ rat.exe if this file exists on your computer, you must immediately contact your helpdesk and delete this file.
- Traffic Monitoring - You can monitor the traffic generated from your personal or organization's system to Telegram C&C accounts. If you see such traffic and Telegram is not installed as a business solution, this is an indication that system has been compromised.
- Identify Phishing or Malicious Emails - It is very important to beware of any kind of attachments files that have usernames because malicious/spam emails often use the your username as the subject line or name of the file. These could be suspicious emails and you should not open these attachments, delete the email immediately and not reply to the sender. If you receive an email from unlisted or undisclosed sender it indicates that the email is malicious or phishing.
- Anti-Phishing Software - In order to minimize the risks phishing attacks for an organization, it is AI-based anti-phishing software that is able to identify and block malicious content from all communication services (i.e. emails )and platforms (i.e. computers, handheld devices)
