Malware That Chats on Telegram

Telegram was the most downloaded app, with over 63 million installations in January of 2021, according to Sensor Tower. Telegram chats aren’t end-to-end encrypted like Signal chats, and now, Telegram has another problem: malware.

Software company Check Point recently discovered that bad actors are using Telegram as a communication channel for a malware program called ToxicEye. It turns out that some of Telegram’s features can be used by attackers to communicate with their malware more easily than through web-based tools. Now, they can mess with infected computers via a convenient Telegram chatbot.

What Is ToxicEye, and How Does It Work?

steal data from the host computer. delete or transfer files. kill processes running on the infected computer. hijack the computer’s microphone and camera to record audio and video without the user’s consent or knowledge. encrypt files to extort a ransom from users.

The ToxicEye RAT is spread via a phishing scheme where a target is sent an email with an embedded EXE file. If the targeted user opens the file, the program installs the malware on their device.

RATs are similar to the remote access programs that, say, someone in tech support might use to take command of your computer and fix a problem. But these programs sneak in without permission. They can mimic or be hidden with legitimate files, often disguised as a document or embedded in a larger file like a video game.

How Attackers Are Using Telegram to Control Malware

As early as 2017, attackers have been using Telegram to control malicious software from a distance. One notable example of this is the Masad Stealer program that emptied victims’ crypto wallets that year.

Check Point researcher Omer Hofman says that the company has found 130 ToxicEye attacks using this method from February to April of 2021, and there are a few things that make Telegram useful to bad actors who spread malware.

For one thing, Telegram isn’t blocked by firewall software. It also isn’t blocked by network management tools. It’s an easy-to-use app that many people recognize as legitimate, and thus, let their guard down around.

The Infection Chain

Here’s how the ToxicEye infection chain works:

The attacker first creates a Telegram account and then a Telegram “bot,” which can carry out actions remotely through the app. That bot token is inserted into malicious source code. That malicious code is sent out as email spam, which is often disguised as something legitimate that the user might click on. The attachment gets opened, installs on the host computer, and sends information back to the attacker’s command center via the Telegram bot.

Because this RAT is sent out via spam email, you don’t even have to be a Telegram user to get infected.

Staying Safe

If you think that you might have downloaded ToxicEye, Check Point advises users to check for the following file on your PC: C:\Users\ToxicEye\rat.exe

If you find it on a work computer, erase the file from your system and contact your help desk immediately. If it’s on a personal device, erase the file and run an antivirus software scan right away.

At the time of writing, as of late April 2021, these attacks have only been discovered on Windows PCs. If you don’t already have a good antivirus program installed, now’s the time to get it.

Other tried-and-true advice for good “digital hygiene” also applies, like:

Don’t open email attachments that look suspicious and/or are from unfamiliar senders. Be careful of attachments that contain usernames. Malicious emails will often include your username in the subject line or an attachment name. If the email is trying to sound urgent, threatening, or authoritative and pressures you to click on a link/attachment or give sensitive information, it’s probably malicious. Use anti-phishing software if you can.

The Masad Stealer code was made available on Github following the 2017 attacks. Check Point says that has led to the development of a host of other malicious programs, including ToxicEye:

Companies that use the software would do well to consider switching to something else or blocking it on their networks until Telegram implements a solution to block this distribution channel.

In the meantime, individual users should keep their eyes peeled, be aware of the risks, and check their systems regularly to root out threats—and maybe consider switching to Signal instead.