ToxicEye Malware Hides in Fake Hacking Tools Promoted via Telegram
ToxicEye is a newly identified malware strain, which has the ability to take over compromised computers and provide attackers with access to features typical for Remote Access Trojans (RATs.) Instead of using a typical HTTP connection to receive commands and exfiltrate data, the ToxicEye Malware is being controlled through a specially-crafted Telegram bot, which only the malware's operators have access to. They can use the Telegram account to submit messages, as well as to receive the output produced by commands executed on infected machines.
The campaigns focused on spreading the ToxicEye Malware have been active for over a month, and the criminals appear to focus on disguising the payload as a fake hacking tool. This is not an uncommon strategy – cybercriminals often target 'novice hackers' by offering to provide them with free hacking tools. The software used to hide the ToxicEye Malware may often pose as a tool used to crack PayPal accounts or Bitcoin wallets – such software does not exist. Victims of the ToxicEye Malware may receive the download link via Telegram or a fake email message.
The primary features of the ToxicEye Malware allow its operator to:
- Steal data from Web browsers – cookies, history, autofill data, passwords, and more.
- Execute remote commands.
- Manage running processes.
- View, read, and steal files.
- Record video/audio if a camera or microphone is available.
- Deploy additional malware.
Users should protect their systems from the ToxicEye Malware and similar malware by using an up-to-date antivirus software suite, as well as by remembering to be extra careful when interacting with unknown websites and files. Never download random files, which were brought to your attention by an anonymous user.