Check Point: ToxicEye is a new malware which exploits Telegram for command and control. It is managed over the platform, communicating with the attacker’s C&C server and exfiltrating data to it

ToxicEye is a new malware which exploits Telegram for command and control. It has been discovered by Check Point cybersecurity experts. The RAT in the last three months was used in over 130 attacks. It is spread via phishing emails containing a malicious .exe file.  If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge, including:

• stealing data;
• deleting or transferring files;
• killing processes on the PC;
• hijacking the PC’s microphone and camera to record audio and video;
• encrypting files for ransom purposes

The malware is managed by cybercrime actors over Telegram, communicating with the attacker’s C&C server and exfiltrating data to it.

The cybersecurity experts: How the RAT infection chain works

According to the cybersecurity experts, the attacker first creates a Telegram account and a Telegram ‘bot’. This one is embedded into the ToxicEye RAT configuration file and compiled into an executable file. Any victim infected with the malware can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram. In addition, it can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”