It turns out hackers are using Telegram as a “command-and-control” system to distribute malware into organizations. The main purpose is to capture sensitive information from targeted systems. To understand what a volume we are talking about, just know in January 2021, Telegram was the most downloaded app worldwide with more than 63 million installs and 500 million monthly active users. As you understand, Telegram’s popularity attracts not only new users but also the cyber-criminal community.
Why is Telegram Attractive To Adversaries?
You shouldn’t use Telegram to become a victim. We mean the system allows hackers to send malicious commands and operations remotely via the instant messaging app. Because of this, there have been over 130 attacks in the past three months. Adversaries are using a new multi-functional remote access trojan (RAT) called “ToxicEye.”
However, it still remains quite interesting why hackers target this IM app. There are many reasons. Say, Telegram is not only allowed by enterprise antivirus engines, it also allows hackers to remain anonymous. As you should know, the registration process in Telegram requires only a mobile number. So anyone can become a Telegram hacker.
Using Telegram For Getting Users’ Data
In fact, this is not new. Back in September 2019, Masad Stealer, an information stealer, was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Moreover, in 2020, Magecart groups used the same tactic. It was sending stolen payment details from compromised websites back to the attackers.
The latest case was discovered by Checkpoint. As said, attackers are using a new RAT called ToxicEye, which spreads via emails. It contains a malicious .exe file. Once users open the attachment, like other Trojans, ToxicEye installs itself on the victim’s PC. After it can perform various harmful operations such as stealing data, deleting or transferring users’ files, killing concrete processes on the PC, etc.
How ToxicEye Works In Telegram
The first thing an attacker does is creating a Telegram account and a Telegram ‘bot.’ The latter is embedded into the ToxicEye RAT configuration file. So anyone who opens the infected file ‘activates’ the Telegram bot. The rest is a matter of technique. We mean the bot connects the user’s device back to the attacker’s C&C via Telegram.