[German]Security experts from Check Point Research warn of new campaign that threatens millions of users. The attackers can install contaminated files on computers via Telegram and then control these programs remotely. Here is some information I received directly from Check Point.
Advertising
Check Point Research (CPR) has come across cyber criminals who are abusing the Telegram messaging service as a remote malware distribution center. The hackers hide the malware behind email attachments to infect computers. The finding was preceded by CPR observing more than 130 cyber attacks from a remote access Trojan (RAT) called ToxicEye within the last three months, coordinated by the actors through Telegram. Telegram has over 500 million active users worldwide and is one of the top ten most downloaded apps in the world.
Sophisticated attack path
The attack path looks like the hackers create a Telegram account and set up a special Telegram bot. This is a remote account that users can interact with via Telegram chat, or via groups, or via the input field when they enter the bot's name and request.
Telegram hack, source: Check Point
In a second step, the bot's login token is combined with malware. In a third step, the cyber criminals spread the malware will as an attachment via a spam email. One example found was called paypal checker by saint.exe.
If the victim opens the malicious attachment, it then connects to Telegram. From now on, anyone whose computer has been contaminated by the malware can be attacked by the hackers' Telegram bot – regardless of whether Telegram is installed at all. The malware simply connects the user's device to the attackers' command-and-control server via Telegram. If the hacker has control over the device, he can perform various malicious activities. The impact of a successful attack is manifold. Observed were:
Advertising
- File System Control (deleting or transferring files; stopping processes; taking over the Task Manager).
- Data leakage (theft of images, videos, passwords, system information, browser history and cookies).
- Ransomware (encryption of data).
- I/O-hijacking (installing a keylogger that reads input; secretly recording sound and images via the device's microphone and camera; cracking the clipboard).
Security researchers believe that Telegram is currently under increased attack because it has seen a large increase in users – including as an enterprise application. Dozens of new malware against Telegram, which can be purchased ready to use, are ready in Github stores. Some circumstances are in favor of the hackers:
- Telegram is not blocked by enterprise security solutions because it is a real, secure and stable application, which is also easy to use and frequently used there.
- Telegram preserves the anonymity of users, and thus of the attackers behind the infected accounts, because registration requires only a phone number.
- The technical way of communicating via Telegram allows the attackers to easily steal data from a computer or transfer infected data to the device.
- Attackers can use their cell phones to dial infected computers anywhere in the world via Telegram.
Christine Schönig, Regional Director Security Engineering CER, Office of the CTO, at Check Point Software Technologies GmbH, summarizes the research, "We discovered that malware authors are using the Telegram platform as a ready-to-use command-and-control system for malware distribution in enterprises. This allows the malware used to receive its commands for operations from the attackers remotely via Telegram – even when Telegram is not installed or used on the computer. The malware the hackers use can be found in easily accessible places like the open-source platform Github. We are convinced the attackers are taking advantage of the fact that Telegram is used in almost all organizations and therefore bypasses security restrictions. For this reason, we strongly advise all users to be aware of the existence of malicious emails and to be suspicious of those that embed their username in the subject, or are written with broken language. Now that we know that Telegram can be used to distribute contaminated files or as a command and control center for remote malware, we expect to see more malware designed specifically for this purpose."
Helpful tips against the attack are:
- Look for a file named: C:\Users\ToxicEye\rat.exe. If this is present, the computer has been infected and IT should be notified immediately to delete the file.
- Network traffic needs to be monitored to see if any transfers are taking place from computers in the company to a Telegram command-and-control server. If this takes place and Telegram is not officially used as an application in the company, this is a clear indication.
- Watch out for email attachments that contain usernames or messages that have them in the subject line.
- Beware if recipient or sender names of an email are missing or unrecognizable.
- Watch out if the email is written in broken language, meaning it contains many misspellings.
- Companies can deploy an automated security solution against phishing anyway, which helps employees defend against it and is based on artificial intelligence. This can stand guard within the entire corporate communications.
For more information, read this article.
