Cybercriminals Using Telegram Messenger to Control ToxicEye Malware

Nested Applications

Asset Publisher

News

Multiple security vulnerabilities in Zimbra email collaboration software that could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure.

Microsoft rolled out Patch Tuesday updates for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems.

SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.

Microsoft has shipped an emergency out-of-band security update to address a critical zero-day vulnerability — known as "PrintNightmare" — that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.

As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets.

We are a member of First

We are a member of First

 

 

contactpic

 

 

Most Viewed Assets

null Cybercriminals Using Telegram Messenger to Control ToxicEye Malware

Adversaries are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.

"Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app," said researchers from cybersecurity firm Check Point, who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called "ToxicEye."

 

The use of Telegram for facilitating malicious activities is not new. In September 2019, an information stealer dubbed Masad Stealer was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Then last year, Magecart groups embraced the same tactic to send stolen payment details from compromised websites back to the attackers.

 

The strategy also pays off in a number of ways. For a start, Telegram is not only not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, given the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world.

 

The latest campaign spotted by Check Point is no different. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer's microphone and camera to record audio and video, and even encrypt files for a ransom.

 

Specifically, the attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "paypal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe").

 

"We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations," Check Point R&D Group Manager Idan Sharabi said. "We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions."

Nested Applications

Contact Us

Free Call[OH]: 933

Phone Number: +251-993939270

                            +251-993531965

                            +251-944-33-68-02

E-mail: ethiocert@insa.gov.et

P.O.Box: 124498

Asset Publisher

tools

Nested Applications

Asset Publisher

values

Values

  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving