Check Point Research points to growing use of Telegram app for remote control of new malware

Published: Tuesday, 27 April 2021 08:20

Check Point Research (CPR) is warning of a growing cyber threat in which hackers use Telegram, the instant messaging app with over 500 million active users, as a command and control system to distribute malware to organizations. Even when Telegram is not installed or being used on target machines, hackers can send malicious commands and operations remotely via the instant messaging app using a Telegram ‘bot’ embedded in the malware. Recipients of the malware are subjected to:

The warning from CPR comes after it tracked over 130 cyber attacks within the past three months that used a remote access trojan (RAT) dubbed ‘ToxicEye’. A RAT is a type of malware that provides the attacker with full remote control over a PC. ToxicEye is managed by attackers over Telegram, communicating with the attacker’s server and exfiltrating data to it.

ToxicEye is initially spread via phishing emails containing a malicious .exe file. After a recipient opens the attachment, ToxicEye installs itself onto the victim’s PC, performing a range of exploits without the victim's knowledge.

ToxicEye infection chain

CPR has outlined the infection chain of the attack:

Cyber criminals are turning to Telegram as an integral part of their attacks because of a number of operational benefits, such as:

More details.