Telegram has been recently found to have been subjected to escalating malware abuse. Malicious actors exploiting the platform to dupe victims using ToxicEye malware.
Telegram prey to ToxicEye:
In recent research conducted by security researchers at Check Point, it was found that even though the Telegram application has not been installed or is not in active usage, the system facilitates threat actors to transmit malicious instructions of their own accord.
These instructions can then conduct malicious operations and exploit the instant messaging platforms by commanding them remotely.
In the Telegram exploitation research, it was discovered that so far more than 130 such cyber-attacks have been deployed that make use of the ToxicEye malware.
The ToxicEye malware is a relatively novel multi-functional RAT i.e a remote access trojan working actively to mal-utilize the platform.
In the latest campaign, the ToxicEye trojan is been spreading through malicious emails integrated with a Windows executable file that deploys the malware to the victims.
ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer’s microphone and camera to record audio and video, and even encrypt files for a ransom.
This is not the first time that reports of Telegram being used by malicious actors to conduct mal operations have come forth.
Back in September 2019, an information stealer dubbed Masad Stealer was found to be stealing data and cryptocurrency wallet data from infected computers using Telegram.
In 2020, Magecart groups used similar methods to transmit stolen payment data from compromised websites back to the malicious actors.
Disadvantages of its own facilities:
Experts are of the opinion that such wide-scale exploitation of Telegram can be partly traced to its own application functionality.
For instance, Telegram facilitates the malicious actors to remain anonymous, given the signing up for the app requires only a mobile number, thereby giving them access to compromise devices from any location.
“We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations,” Check Point R&D Group Manager Idan Sharabi said. “We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyberattacks, which can bypass security restrictions.”