New research by Check Point Software Technologies’ malware analyst Omer Hofman indicates that Telegram is a growing hub for threat actor activity (via TechRadar). Thanks to Whatsapp alienating some users with its new policies and settings, Telegram’s become more relevant than ever. But where there is popularity, there is danger.
The cybercriminals in question are using Telegram as a command and control (C&C) system for the dispersal of their digital weapons. One in particular that Check Point Research (CPR) has seen an uptick in lately is the remote access trojan “ToxicEye,” which CPR has noticed crop up in over 130 attacks just within a three-month window.
ToxicEye is spread through a .exe file contained inside phishing emails. It’s an old tactic, but it’s working well enough to get ToxicEye inside people’s computers. Once the trojan is in there, it can steal data, delete processes, hijack a machine’s microphone and camera, and encrypt files to hold them for ransom.
This malware is monitored by attackers via Telegram, where it communicates with them via their C&C server. This server is also where it dumps its stolen data. Some specific reasons for Telegram’s popularity amongst bad guys include:
- Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools
- Attackers can remain anonymous as the registration process requires only a mobile number
- The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
The full research report makes for interesting reading and is worth checking out if you want a more in-depth look at how innocuous apps can be co-opted for villainy.