New Trojan Steals Telegram Users’ Data

Telegram ToxicEye

WhatsApp’s nightmare started in 2021, when it updated its privacy policy. Actually, the new terms should come way earlier, in January, 2021. But as millions of users had been complaining, the company decided to postpone it until May 15. The thing is if you do not accept the new terms and conditions on or before this date, WhatsApp will block you from sending or receiving any messages via the platform. This made many WhatsApp users look for alternatives. As a result, Signal and Telegram got a huge number of new users migrating from WhatsApp. Particularly, tens of millions of users switched from WhatsApp to Telegram thinking that latter is more secure and easier to use. Actually, it is a light messaging app. But is it secure enough?

It turns out hackers are using Telegram as a “command-and-control” system to distribute malware into organizations. The main purpose is to capture sensitive information from targeted systems. To understand what a volume we are talking about, just know in January 2021, Telegram was the most downloaded app worldwide with more than 63 million installs and 500 million monthly active users. As you understand, Telegram’s popularity attracts not only new users but also the cyber-criminal community.

Why is Telegram Attractive To Adversaries?

You shouldn’t use Telegram to become a victim. We mean the system allows hackers to send malicious commands and operations remotely via the instant messaging app. Because of this, there have been over 130 attacks in the past three months. Adversaries are using a new multi-functional remote access trojan (RAT) called “ToxicEye.”

Telegram ToxicEye

However, it still remains quite interesting why hackers target this IM app. There are many reasons. Say, Telegram is not only allowed by enterprise antivirus engines, it also allows hackers to remain anonymous. As you should know, the registration process in Telegram requires only a mobile number. So anyone can become a Telegram hacker.

Using Telegram For Getting Users’ Data

In fact, this is not new. Back in September 2019, Masad Stealer, an information stealer, was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Moreover, in 2020, Magecart groups used the same tactic. It was sending stolen payment details from compromised websites back to the attackers.

The latest case was discovered by Checkpoint. As said, attackers are using a new RAT called ToxicEye, which spreads via emails. It contains a malicious .exe file. Once users open the attachment, like other Trojans, ToxicEye installs itself on the victim’s PC. After it can perform various harmful operations such as stealing data, deleting or transferring users’ files, killing concrete processes on the PC, etc.

How ToxicEye Works In Telegram

The first thing an attacker does is creating a Telegram account and a Telegram ‘bot.’ The latter is embedded into the ToxicEye RAT configuration file. So anyone who opens the infected file ‘activates’ the Telegram bot. The rest is a matter of technique. We mean the bot connects the user’s device back to the attacker’s C&C via Telegram.

Facebook Will Now Ask You What To Show in Your News Feed
iPhone's AirDrop Bug Exploits Phone Numbers And Emails