The popularity of the Telegram messaging platform has grown a lot in recent years, with massive migration in WhatsApp users jumping ship following amendments to that service’s privacy and data management policies.

In particular Telegram has been widely used by hackers to conduct malware campaigns. Recently, a campaign has been discovered that shares a new malware strain called ToxicEye. ToxicEye malware is a Remote Access Trojan (RAT) that gives hackers complete management of an infected device. The malware is used to exfiltrate sensitive data and download other malware strains.

The malware takes advantage of the command and control server communications of Telegram accounts. Using the hacker’s Telegram account, an infected can be managed using ToxicEye to steal data and share more malicious payloads.

Telegram is a popular messaging service with over 63 million downloads and has approximately 500 million active users globally. IN particular there has been massive growth since the beginning of the COVID 19 pandemic with the app being implemented by many businesses who have been using it to allow their remote workers to communicate and collaborate. The app supports secure, private messaging and most companies allow Telegram to be implemented and do not block or audit communications.

Creating a Telegram account is simple and hackers can hide their identity. All that is needed to create an account is a mobile phone number, and the communication infrastructure permits hackers to easily steal data and send files to malware-infected devices unnoticed.

Telegram is also being implemented for sharing malware. Hackers can set up an account, use a Telegram bot to interact with other users and send files, and it is also possible to share files to non-Telegram users via phishing emails with malicious attachments. It is phishing emails that are being used to share ToxicEye malware. Emails are issued with a .exe file attachment, with one campaign using a file titled  “paypal checker by saint.exe” to download the malware.

If the attachment is opened and initiated, a connection will be made to Telegram which allows malware to be downloaded by the hacker’s Telegram bot. The attackers can carry out a variety of malicious activities once the malware is in place, with the main goals of the cybercriminals being gathering information about the infected device, locating and exfiltrating passwords, and exfiltrating cookies and browser histories.

ToxicEye malware can disable active processes and take management of Task Manager, capture audio and video, remove clipboard contents, and launch other malware strains – including keyloggers and ransomware.

TitanHQ has two solutions available that can safeguard your network and devices from ToxicEye and other Telegram-based phishing and malware campaigns. SpamTitan is a strong email security solution that will prevent malicious emails sharing the executable files that download the ToxicEye RAT and other malware. For even more security, SpamTitan should be connected to WebTitan web security. WebTitan is a DNS-based web filtering service that can be set up to prevent access to Telegram if it is not in use and review traffic in real time to discover possibly dangerous message.

To find out more about these solutions, how much it costs, and to register for a free trial, get in touch with TitanHQ now.