Like any application, Telegram is not immune to cyber-attacks and other attempted exploits targeting its users. An unidentified hacker group use Telegram to spread a new malware with Remote Access Trojan (RAT) — dubbed “ToxicEye”, to take control of victims’ devices.
According to the blog of Omer Hofman, a security researcher at Check Point Research, for over three months, they have identified more than 130 attacks using the ToxicEye remote access Trojan.
Telegram, which has recently gained some popularity as an alternative to Whatsapp, currently has over 500 million active monthly users and has also proved quite popular with cybercriminals who often use it as a starting point for distributing malicious tools and attack vectors.
In this case, the chain of attacks starts with the hacker creating a Telegram account and a bot that is an integral part of the malware control infrastructure.
Then, ToxicEye is distributed by hackers using phishing emails that contain the virus. The moment a user opens an infected file, he installs malware that allows hackers to steal data, delete or transfer any files, disrupt systems, hijack access to the device’s microphone or camera to record audio or video, and encrypt databases from they think about ransom demands.
The ToxicEye RAT exhibits a number of capabilities fairly common among modern malware — scanning and stealing credentials, operating system data, browser history, clipboard content, and cookies. The malware can also act as a keylogger and can compromise audio/video devices connected to the system that can be used to intercept voice communications or record videos.
To check if the ToxicEye Trojan is present on the system, the most significant indicator of compromise is the presence of the rat.exe file at “C:\Users\ToxicEye\“. Then the usual precaution and prevention recommendations apply — always check the sender of an email and do not open attachments of dubious origin.