The Check Point research team discovered that the cybercriminals control ToxicEye malware using Telegram, as messenger is used as a command-and-control server for the malware.
Even when Telegram is not installed or used, hackers manage to remotely transmit malware commands and perform operations through the application.
Over the past three months, researchers have tracked more than 130 such cyberattacks.
ToxicEye operators distribute their malware, disguising it as email attachments. Having gained access to the victim’s system and its data, they also get the opportunity to install other malware on the device.
Typically, the attack takes place in the following way.
- The attacker starts by creating an account and a special bot in Telegram.
- The bot token is associated with the selected malware.
- The malware is then spread through spam mailings as an attachment. For example, one of these files identified by experts was called “PayPal Checker by saint.exe”.
- Next, a potential victim opens a malicious attachment, and it connects to Telegram. Any device infected with ToxicEye can be attacked through a Telegram bot that connects the user to the attackers’ C&C server.
- The hacker gains the ability to: manage files, including deleting them, steal data (for example, from the clipboard, passwords, computer information, browser history and coockie), record audio and video, as well as encrypt files and install ransomware.
The researchers note that using Telegram is a very smart move, because Telegram is a legitimate and easy-to-use service that is usually not blocked by corporate anti-virus solutions. It also allows criminals to remain anonymous, as they only need a mobile phone number to register.
“We urge Telegram organizations and users to keep abreast of the latest phishing attacks and be highly suspicious of emails with a username or organization name embedded in the subject. Given that Telegram can be used to distribute malicious files or as a control channel for malware, we expect attackers to continue to develop tools that use this platform in the future”, — said Idan Sharabi, research and development manager at Check Point Software Technologies.
Let me remind you that I also said that HackBoss malware spreads via Telegram and steals cryptocurrency.