Hackers Use Telegram for Remote Control of New Malware
April 2021 by Check Point Research Team
Check Point Research (CPR) is warning of a growing cyber threat in which hackers use Telegram, the instant messaging app with over 500 million active users, as a command and control system to distribute malware to organizations. Even when Telegram is not installed or being used on target machines, hackers can send malicious commands and operations remotely via the instant messaging app using a Telegram ‘bot’ embedded in the malware. Recipients of the malware are subjected to:
• File system control (files and processes can be deleted/killed)
• Data leaks (data can be copied from the PC clipboard, or audio and video recorded via the PC’s microphone and camera)
• File encryption (ransomware installation)
The warning from CPR comes after it tracked over 130 cyber-attacks within the past three months that used a remote access trojan (RAT) dubbed ‘ToxicEye’. A RAT is a type of malware that provides the attacker with full remote control over a PC. ToxicEye is managed by attackers over Telegram, communicating with the attacker’s server and exfiltrating data to it.
ToxicEye is initially spread via phishing emails containing a malicious .exe file. After a recipient opens the attachment, ToxicEye installs itself onto the victim’s PC, performing a range of exploits without the victim’s knowledge.
ToxicEye infection chain
CPR has outlined the infection chain of the attack:
1. The attacker first creates a Telegram account and a dedicated Telegram bot, a special remote account where users can interact by Telegram chat, or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.
2. The bot token is bundled with the chosen malware.
3. The malware is spread via mail spam campaigns as an email attachment. An example of a file name CPR found was ’paypal checker by saint.exe’
4. The victim opens the malicious attachment which connects to Telegram. Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.
5. The attacker gains full hold on the victim and can run a range of malicious activities
Figure 1. Flow of Infection Chain
Why hackers are targeting Telegram
CPR’s latest research unveils a growing trend in the popularity of Telegram-based malware aligned to the growing usage of the messaging service worldwide. Dozens of new types of Telegram-based malware have been found as ‘off-the-shelf’ weapons in hacking tool repositories on GitHub. Cyber criminals find Telegram as an integral part of their attacks because of a number of operational benefits, such as:
• Telegram goes unblocked. It is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools
• Retains anonymity. Attackers can remain anonymous as the registration process requires only a mobile number, which is easily procured
• Easy exfiltration. The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
• From any location. Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.
Idan Sharabi, R&D Group Manager at Check Point Software said: “We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command & control system for malware distribution into organizations. This system allows the malware used to receive future commands and operations remotely, even if Telegram is not installed or used on the target PC. The malware that hackers used here is easily found on easily-accessible places like Github. We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, which enables the hackers’ actions to bypass security restrictions.
“We strongly urge organizations and Telegram users to be aware of malicious emails and to be more suspicious of emails that embed their username in the subject, or emails that include broken language. Given that Telegram can be used to distribute malicious files, or as a command and control channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”
Safety tips for dealing with ToxicEye
1. Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and should immediately contact your helpdesk and erase this file from your system.
2. Monitor the traffic generated from PCs in your organization to a Telegram C&C - if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise
3. Beware of attachments containing usernames: malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and never open the attachment nor reply to the sender.
4. Look for undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and / or a phishing email.
5. Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
6. Deploy an automated anti-phishing solution- Minimizing the risk of phishing attacks to the organization requires AI-based anti-phishing software capable of identifying and blocking phishing content across all of the organization’s communication services (email, productivity applications, etc.) and platforms (employee workstations, mobile devices, etc.). This comprehensive coverage is necessary since phishing content can come over any medium, and employees may be more vulnerable to attacks when using mobile devices.