{"id":239996,"date":"2021-04-30T15:00:49","date_gmt":"2021-04-30T12:00:49","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-rat-malware-is-using-telegram-to-avoid-detection\/"},"modified":"2021-04-30T15:00:49","modified_gmt":"2021-04-30T12:00:49","slug":"how-rat-malware-is-using-telegram-to-avoid-detection","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-rat-malware-is-using-telegram-to-avoid-detection\/","title":{"rendered":"#How RAT Malware Is Using Telegram to Avoid Detection"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a26bbac84f54\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a26bbac84f54\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-rat-malware-is-using-telegram-to-avoid-detection\/#Malware_That_Chats_on_Telegram\" >Malware That Chats on Telegram<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-rat-malware-is-using-telegram-to-avoid-detection\/#What_Is_ToxicEye_and_How_Does_It_Work\" >What Is ToxicEye, and How Does It Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-rat-malware-is-using-telegram-to-avoid-detection\/#How_Attackers_Are_Using_Telegram_to_Control_Malware\" >How Attackers Are Using Telegram to Control Malware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-rat-malware-is-using-telegram-to-avoid-detection\/#The_Infection_Chain\" >The Infection Chain<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-rat-malware-is-using-telegram-to-avoid-detection\/#Staying_Safe\" >Staying Safe<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How RAT Malware Is Using Telegram to Avoid Detection&#8221;<\/strong><\/p>\n<div>\n<figure style=\"width: 1200px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-725875 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/04\/telegram-hacker.jpg?width=1200&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"A shadowy figure on a laptop behind a smartphone with a Telegram logo.\" width=\"1200\" height=\"555\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/smart-phone-telegram-logo-messaging-voip-1621501870\" data-credittext=\"DANIEL CONSTANTE\/Shutterstock.com\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/smart-phone-telegram-logo-messaging-voip-1621501870\">DANIEL CONSTANTE\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Telegram is a convenient chat <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>. Even malware creators think so! ToxicEye is a RAT malware program that piggybacks on Telegram\u2019s network, communicating with its creators through the popular chat service.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Malware_That_Chats_on_Telegram\"><\/span>Malware That Chats on Telegram<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Early in 2021, scores of users left <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">WhatsApp<\/a> for messaging apps promising better data security after the company\u2019s announcement that it would share user metadata with Facebook by default. A lot of those people went to competing apps Telegram and Signal.<br \/>\nTelegram was the most downloaded app, with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/sensortower.com\/blog\/top-apps-worldwide-january-2021-by-downloads\">over 63 million installations<\/a> in January of 2021, according to Sensor Tower. Telegram chats aren\u2019t end-to-end encrypted like Signal chats, and now, Telegram has another problem: malware.<\/p>\n<p>Software company Check Point <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/blog.checkpoint.com\/2021\/04\/22\/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control\/\">recently discovered<\/a> that bad actors are using Telegram as a communication channel for a malware program called ToxicEye. It turns out that some of Telegram\u2019s features can be used by attackers to communicate with their malware more easily than through web-based tools. Now, they can mess with infected computers via a convenient Telegram chatbot.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"What_Is_ToxicEye_and_How_Does_It_Work\"><\/span>What Is ToxicEye, and How Does It Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>ToxicEye is a type of malware called a remote access trojan (RAT). RATs can give an attacker control of an infected machine remotely, meaning that they can:<\/p>\n<ul>\n<li aria-level=\"1\">steal data from the host computer.<\/li>\n<li aria-level=\"1\">delete or transfer files.<\/li>\n<li aria-level=\"1\">kill processes running on the infected computer.<\/li>\n<li aria-level=\"1\">hijack the computer\u2019s microphone and camera to record audio and video without the user\u2019s consent or knowledge.<\/li>\n<li aria-level=\"1\">encrypt files to extort a ransom from users.<\/li>\n<\/ul>\n<p>The ToxicEye RAT is spread via a phishing scheme where a target is sent an email with an embedded EXE file. If the targeted user opens the file, the program installs the malware on their device.<\/p>\n<p>RATs are similar to the remote access programs that, say, someone in tech support might use to take command of your computer and fix a problem. But these programs sneak in without permission. They can mimic or be hidden with legitimate files, often disguised as a document or embedded in a larger file like a video <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/game\/\" data-internallinksmanager029f6b8e52c=\"7\" title=\"Game\" target=\"_blank\" rel=\"noopener\">game<\/a>.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_Attackers_Are_Using_Telegram_to_Control_Malware\"><\/span>How Attackers Are Using Telegram to Control Malware<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As early as 2017, attackers have been using Telegram to control malicious software from a distance. One notable example of this is the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-masad-stealer-malware-exfiltrates-crypto-wallets-via-telegram\/\">Masad Stealer program<\/a> that emptied victims\u2019 crypto wallets that year.<\/p>\n<p>Check Point researcher Omer Hofman says that the company has found 130 ToxicEye attacks using this method from February to April of 2021, and there are a few things that make Telegram useful to bad actors who spread malware.<\/p>\n<p>For one thing, Telegram isn\u2019t blocked by firewall software. It also isn\u2019t blocked by network management tools. It\u2019s an easy-to-use app that many people recognize as legitimate, and thus, let their guard down around.<br \/>\n Registering for Telegram only requires a mobile number, so attackers can remain anonymous. It also lets them attack devices from their mobile device, meaning that they can launch a cyberattack from just about anywhere. Anonymity makes attributing the attacks to someone\u2014and stopping them\u2014extremely difficult.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"The_Infection_Chain\"><\/span>The Infection Chain<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Here\u2019s how the ToxicEye infection chain works:<\/p>\n<ol>\n<li aria-level=\"1\">The attacker first creates a Telegram account and then a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/telegram.org\/blog\/bot-revolution\">Telegram \u201cbot,\u201d<\/a> which can carry out actions remotely through the app.<\/li>\n<li aria-level=\"1\">That bot token is inserted into malicious source code.<\/li>\n<li aria-level=\"1\">That malicious code is sent out as email spam, which is often disguised as something legitimate that the user might click on.<\/li>\n<li aria-level=\"1\">The attachment gets opened, installs on the host computer, and sends information back to the attacker\u2019s command center via the Telegram bot.<\/li>\n<\/ol>\n<p>Because this RAT is sent out via spam email, you don\u2019t even have to be a Telegram user to get infected.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Staying_Safe\"><\/span>Staying Safe<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you think that you might have downloaded ToxicEye, Check Point advises users to check for the following file on your PC: C:UsersToxicEyerat.exe<\/p>\n<p>If you find it on a work computer, erase the file from your system and contact your help desk immediately. If it\u2019s on a personal device, erase the file and run an antivirus software scan right away.<\/p>\n<p>At the time of writing, as of late April 2021, these attacks have only been discovered on Windows PCs. If you don\u2019t already have a good antivirus program installed, now\u2019s the time to get it.<\/p>\n<p>Other tried-and-true advice for good \u201cdigital hygiene\u201d also applies, like:<\/p>\n<ul>\n<li aria-level=\"1\">Don\u2019t open email attachments that look suspicious and\/or are from unfamiliar senders.<\/li>\n<li aria-level=\"1\">Be careful of attachments that contain usernames. Malicious emails will often include your username in the subject line or an attachment name.<\/li>\n<li aria-level=\"1\">If the email is trying to sound urgent, threatening, or authoritative and pressures you to click on a link\/attachment or give sensitive information, it\u2019s probably malicious.<\/li>\n<li aria-level=\"1\">Use anti-phishing software if you can.<\/li>\n<\/ul>\n<p>The Masad Stealer code was made available on Github following the 2017 attacks. Check Point says that has led to the development of a host of other malicious programs, including ToxicEye:<\/p>\n<blockquote><p>\u201cSince Masad became available on hacking forums, dozens of new types of malware that use Telegram for [command and control] and exploit Telegram\u2019s features for malicious activity, have been found as \u2018off-the-shelf\u2019 weapons in hacking tool repositories in GitHub.\u201d<\/p>\n<\/blockquote>\n<p>Companies that use the software would do well to consider switching to something else or blocking it on their networks until Telegram implements a solution to block this distribution channel.<\/p>\n<p>In the meantime, individual users should keep their eyes peeled, be aware of the risks, and check their systems regularly to root out threats\u2014and maybe consider switching to Signal instead.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/725820\/how-rat-malware-is-using-telegram-to-avoid-detection\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How RAT Malware Is Using Telegram to Avoid Detection&#8221; DANIEL CONSTANTE\/Shutterstock.com Telegram is a convenient chat app. Even malware creators think so! ToxicEye is a RAT malware program that piggybacks on Telegram\u2019s network, communicating with its creators through the popular chat service. Malware That Chats on Telegram Early in 2021, scores of users left WhatsApp&#8230;<\/p>\n","protected":false},"author":1,"featured_media":239997,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/04\/telegram-hacker.jpg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-239996","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/239996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=239996"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/239996\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/239997"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=239996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=239996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=239996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}