Check Point Research points to growing use of Telegram app for remote control of new malware
- Published: Tuesday, 27 April 2021 08:20
Check Point Research (CPR) is warning of a growing cyber threat in which hackers use Telegram, the instant messaging app with over 500 million active users, as a command and control system to distribute malware to organizations. Even when Telegram is not installed or being used on target machines, hackers can send malicious commands and operations remotely via the instant messaging app using a Telegram ‘bot’ embedded in the malware. Recipients of the malware are subjected to:
- File system control (files and processes can be deleted/stopped)
- Data leaks (data can be copied from the PC clipboard, or audio and video recorded via the PC’s microphone and camera)
- File encryption (ransomware installation).
The warning from CPR comes after it tracked over 130 cyber attacks within the past three months that used a remote access trojan (RAT) dubbed ‘ToxicEye’. A RAT is a type of malware that provides the attacker with full remote control over a PC. ToxicEye is managed by attackers over Telegram, communicating with the attacker’s server and exfiltrating data to it.
ToxicEye is initially spread via phishing emails containing a malicious .exe file. After a recipient opens the attachment, ToxicEye installs itself onto the victim’s PC, performing a range of exploits without the victim's knowledge.
ToxicEye infection chain
CPR has outlined the infection chain of the attack:
- The attacker first creates a Telegram account and a dedicated Telegram bot, a special remote account where users can interact by Telegram chat, or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot's Telegram username and a query.
- The bot token is bundled with the chosen malware.
- The malware is spread via mail spam campaigns as an email attachment. An example of a file name CPR found was 'paypal checker by saint.exe'
- The victim opens the malicious attachment which connects to Telegram. Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.
- The attacker gains full hold on the victim and can run a range of malicious activities.
Cyber criminals are turning to Telegram as an integral part of their attacks because of a number of operational benefits, such as:
- Telegram goes unblocked. It is a legitimate, easy-to-use and stable service that isn't blocked by enterprise anti-virus engines, nor by network management tools
- Retains anonymity. Attackers can remain anonymous as the registration process requires only a mobile number, which is easily procured
- Easy exfiltration. The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
- From any location. Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.