ToxicEye Malware Description
Infosec researchers discovered a new attack campaign that is spreading the threatening Toxic Eye malware. This RAT (Remote Access Trojan) is capable of performing numerous harmful functions on compromised systems depending on the goals of the threat actor. To control the threat and exfiltrate sensitive information from their victims, the hackers behind the ToxicEye malware leverage the client for the popular messaging application Telegram.
ToxicEye Carries Embedded Telegram Code
Telegram was likely chosen due to its recent growth in user base - over 500 million active users worldwide and the fact that its client is allowed in almost all organizations. One of the contributing factors to the surge in Telegram's popularity was WhatsApp's new privacy and data management policies that pushed many users to look for alternative messaging platforms. Many landed on Telegram due to two of its core aspects being privacy and security.
The initial compromise vector of the attack is a spam campaign with emails carrying corrupted file attachments. The malware threat is presented under different disguises, such as 'paypal checker by saint.exe.' When the victim executes the file, it initiates the threat that uses the embedded Telegram code to connect to the Command-and-Control (C2, C&C) servers of the campaign.
The ToxicEye Malware Functionality
In the span of three months, Infosec analysts detected over 130 attacks that deployed ToxicEye and used Telegram to control the behavior of the threat. The hackers established a Telegram bot - a remote account that allows the threat actors to engage with other users in multiple different ways including adding people to groups, starting chats, and sending requests from the input field by entering a query and the bot's username.
Across the different attacks, ToxicEye was instructed to perform a vast set of nefarious activities. The threat was observed to act as a data-collector that harvests passwords, system information, browser history, and cookies, while also establishing a keylogger and recording arbitrary audio and video. The hackers can manipulate the file system and upload selected files to their server, kill specific processes, or control the infected system's task manager. In addition, ToxicEye acted as ransomware that encrypts files and renders them unusable.
The experts who analyzed the ToxicEye malware threat advise users and organizations to keep an eye for the presence of a file called 'rat.exe' located inside the 'C:\Users\ToxicEye\rat[.]exe directory. Another indication of compromise is abnormal traffic between computers and Telegram accounts, especially if the monitored systems are not supposed to have Telegram installed on them.