Researchers at Checkpoint have been following malware trends on the messaging application Telegram. Due to a host of issues with competitor applications, Telegram has seen a surge in users. As Checkpoint notes in a new research post, this also applies to various threat actors. The post speaks of a new remote access Trojan (remote access Trojan) called ToxicEye deployed in Telegram. The remote access Trojan is through phishing emails that contain ToxicEye as an executable file. The executable is in an attachment that, once opened, begins quickly infecting the target device. Checkpoint states that ToxicEye can engage in “stealing data, deleting or transferring files, killing processes on the PC, hijacking the PC’s microphone and camera to record audio and video (and) encrypting files for ransom purposes.”
What makes Telegram a target for remote access trojans like ToxicEye, according to Checkpoint researchers, is that Telegram is an easy target. It has more than 500 million users, is not blocked by antivirus programs by default, only requires a phone number (allowing criminals to use spoofed accounts and remain anonymous), and is easily accessible globally.
Checkpoint states that the increase in remote access Trojan attacks on Telegram began in 2017. In their conclusion, they predict that this will only get worse for the following reasons:
The developers who publish these tools disguise their true purpose by defining them as “Remote Administration Tool” or “for educational purpose only,” although some of their characteristics are often found in malicious Trojans.
Given that Telegram can be used to distribute malicious files or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.
The only tried and true defense against getting infected by remote access Trojans like ToxicEye is common sense. You can have the most advanced malware protection software, and as important as that may be, if you choose to open emails and download .EXE attachments… expect the worst.
Featured image: Shutterstock