In early 2021, dozens of users abandoned WhatsApp in favor of other messaging apps that promised better data security, after the company announced that it would share users’ metadata with Facebook by default. So many of these users decided to rely on competing apps, such as Telegram and Signal.
Telegram was without a doubt the most downloaded app, with more than 63 million installs in January 2021.
However, Telegram chats are not end-to-end encrypted like Signal conversations, and now the app detects that it has another problem: malware.
Software company Check Point recently discovered that some malicious groups are using Telegram as the communication channel for a malware called ToxicEye. It turns out that some Telegram features can be used by attackers to communicate with their malware more easily than web-based tools. Hackers can now enter infected computers via the appropriate Telegram chatbot.
What is ToxicEye and How does It Work?
ToxicEye is a remote access Trojan (abbreviated to RAT) malware. RATs can provide an attacker with remote control of an infected machine, which means they can:
- Theft of data from the host computer.
- Delete or move files.
- Close the processes running on the infected computer.
- Hijack a microphone and computer camera to record audio and video without your consent.
- Encrypting files to extort ransomware from users.
ToxicEye RAT spreads via a phishing scheme. An email containing an embedded EXE file is sent to the recipient. If the user opens the file, the program installs malicious software on the device.
RAT is similar to remote access software that, for example, technical support agents use to take charge of your computer and solve a problem. The difference is that these programs infiltrate without permission. They can mimic or hide legitimate files, often disguised as documents or embedded in a larger file such as a video game.
How do hackers use Telegram to control malware?
In 2017, hackers were using Telegram to remote control malware. An example of this is the Masad Stealer program that emptied victims’ cryptocurrency wallets that year.
Check Point researcher Omar Hoffman says the company detected 130 attacks on ToxicEye using this method from February to April 2021.
On top of that, there seem to be some features that make Telegram useful for those bad guys who intend to spread malware.
For one thing, Telegram isn’t blocked by firewall software or network management tools. It’s an easy-to-use app that many people recognize as legitimate and therefore let their guard down.
Signing up for Telegram for the first time only requires a mobile phone number, so attackers can remain anonymous. It also allows them to attack devices from their mobile devices, which means that they can launch a cyber attack from anywhere. Anonymity makes it extremely difficult to attribute attacks to a person and stop them.
Here’s how the ToxicEye infection chain works:
1. The attacker first creates a Telegram account and then a Telegram “bot”, which can perform actions remotely via the app.
2. Android code is injected into the malicious source code.
3. This malicious code is sent as unwanted email, often masquerading as something legitimate that the user can click on.
4. The attachment is opened and installed on the host computer and the information is sent to the attacker’s command center via a Telegram bot.
Since RAT is sent via spam, you don’t even need to be a Telegram user, to get infected.
How do you keep your safety?
If you think you have downloaded ToxicEye, Check Point recommends that you check the following file on your computer: C: Users ToxicEye rat.exe
If you find it on your work computer, delete it from the system and contact your help desk immediately. If it is on a personal device, delete the file and scan the antivirus immediately.
At the time of writing, in late April 2021, these attacks are only detected on Windows PCs. If you haven’t already installed a good antivirus, now is the time to download it.
Other proven tips for good ‘digital hygiene’ also apply, such as:
- Don’t open email attachments that look suspicious and / or come from unknown senders.
- Beware of attachments that contain usernames. Malicious emails often include your username in the subject line or the name of the attachment.
- If the email is trying to appear urgent, threatening, or reliable and pressures you to click on a link or attachment or provide sensitive information, it is likely malicious.
- Use anti-phishing software.
Masad Stealer code was made available on Github after the 2017 attacks. Check Point claims to have led to the development of a number of other malware, including ToxicEye:
“Since Massad became available on hacking forums, dozens of new types of malware have been found that use Telegram to command and control and exploit Telegram’s capabilities for malicious activities as” ready-to-use “weapons in tool repositories. Hacked on GitHub.
It is better for companies that use the software to consider switching to something else or blocking it on their networks so Telegram implements a solution to block this distribution channel.
Meanwhile, individual users should keep their eyes open, be aware of the risks and regularly check their systems to root out threats and possibly consider switching to Signal.