Hackers use Telegram bots to distribute dangerous Remote Access Trojan

Cybersecurity specialists report that a hacking group is abusing functions on Telegram messaging app to embed malicious code within a Remote Access Trojan (RAT) identified as ToxicEye. According to the report, ToxicEye infected devices can be controlled via Telegram accounts operated by hackers.

Experts mention that this Trojan may take control of file systems, install encryption malware and extract sensitive information from victims’ computers. Check Point experts claim to have tracked at least 130 ToxicEye related attack attempts over the past 3 months; these attacks used the messaging platform to communicate with their own C&C server and extract sensitive data.

Idan Sharabi, a member of the Check Point team in charge of this investigation, believes that threat actors chose Telegram for this malicious campaign because of the platform’s growing popularity, which already has around 500 million active users worldwide: “We believe hackers are taking advantage of the fact that Telegram is employed in a virtually widespread way, making it easier to bypass major security restrictions.”

On the increase in Telegram’s popularity, experts point out that this is mainly due to controversial changes in WhatsApp policies, which generated great concern among the millions of users of this service, who tried to find on Telegram a platform friendly to their privacy. Coronavirus pandemic could also have contributed to the increase of Telegram usage.  

Since implementing these changes, experts claim to have found dozens of malware samples for Telegram users ready to compromise millions of mobile devices.

On the Trojan, experts point out that an attack begins when hackers create accounts on the platform, as well as a bot that allows you to automatically interact with other users. Subsequently the threat actors group the bot token with the Trojan or any other malware variant of their choice, spreading the infection via spam campaigns and phishing emails. 

Once the target user opens the malicious attachment, their device connects to Telegram and is completely exposed to remote attacks using the hackers’ bot. If this scenario is successfully completed the hackers can perform all kinds of subsequent attacks. This is an active risk, although fortunately its identification is very easy. According to the experts, simply identify a file named rat.exe in the location C:\Users\ToxicEye\rat[.]exe to determine if your system has been infected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.