ToxicEye RAT Steals Info Through Telegram

A new remote access Trojan, or RAT for short, has been spotted in the wild. Researchers have tentatively named the new threat ToxicRat and have warned that it can steal victim's information through the Telegram application.

Check Point published a lengthy blog post on the new RAT. Their researchers stated that around 130 attacks executed using the new Trojan have been spotted in the wild over the course of the last three months.

Perhaps part of the reason why the bad actors operating the ToxicEye RAT have turned to abusing Telegram of all platforms is the recent surge in popularity that Telegram enjoyed. That uptick in users was largely driven by some of the changes that were introduced to the way WhatsApp shares information with its Facebook parent company.

ToxicEye abuses Telegram's platform and uses Telegram to provide command and control functionality for the malware. Check Point pointed out a few factors that make Telegram particularly appealing for bad actors, including the fact that an account only requires a mobile number, as well as the fact that the way Telegram communicates can allow hackers to exfiltrate information from their victims with relative ease. In an age where a burner phone costs next to nothing, this can be an issue.

The new RAT is spread using the usual method - malicious phishing emails that have an executable file attached. Once the victim opens the executable, the ToxicEye RAT deploys and can then perform a surprisingly versatile range of malicious tasks.

Those tasks include exfiltrating data, manipulating files, tampering with running processes on the victim system, recording audio and video in the presence of available hardware and even encrypting files.

Once a system has been infected with ToxicEye, the bad actors behind the malware can use a bot Telegram account to link any infected device to the command and control server.

Check Point also provided at least one known location for the malware's payload - C:\Users\ToxicEye\rat.exe.

Sadly, if that file is already there, chances are your system has been infected and you should take immediate steps to secure your information and possibly even format the affected device.

April 23, 2021

Leave a Reply