The Telegram messaging app has been one of the beneficiaries of some of the migration we’ve seen away from the biggest messaging platforms, like Facebook-owned WhatsApp which recently rolled out some controversial changes and thus spurred an exodus of users. And anywhere there are lots of users of a digital product or service, it should go without saying, you can rest assured that hackers will soon follow. Telegram is one of the latest examples of this reality, given that hackers have been using it to disseminate a remote access Trojan called ToxicEye, which is malware that lets a hacker-operated Telegram account control a victim’s computer.
According to researchers at Check Point Software Technologies, ToxicEye can install ransomware as well as steal data from a victim’s computer. “Over the past three months,” the researchers explain, “Check Point Research has seen over 130 attacks using a new multi-functional remote access Trojan dubbed ‘ToxicEye.’ ToxicEye is spread via phishing emails containing a malicious .exe file. If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge.”
The ToxicEye Trojan is actually managed by attackers over Telegram, the Check Point team continues. How this all apparently works is the attackers first create a Telegram account a Telegram ‘bot.’ Per Check Point: “A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.”
Among the capabilities demonstrated by this Trojan, it can:
- Locate and steal passwords, as well as computer information, browser history and cookies.
- It also has ransomware features that let it encrypt and decrypt a victim’s files
- The Trojan has demonstrated file system control, letting it delete and transfer files or kill PC processes and take over a PC’s task manager.
- Additionally, this Trojan can also deploy a keylogger, or hijack the victim’s computer to let it record audio and video of the victim’s surroundings.
The advisory notes that people can protect themselves against these attacks by following common sense best practices, like not clicking dodgy links or opening files from randos. Nevertheless, here’s why this kind of thing is likely to continue via the app: “Telegram was the most downloaded app worldwide for January 2021 with more than 63 million installs, and has surpassed 500 million monthly active users,” Check Point notes. “This popularity also extends to the cyber-criminal community. Malware authors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious products, because it offers several advantages compared to conventional web-based malware administration.”