Telegram, one of the world's most popular instant messaging platforms, is increasingly being used by cybercriminals as a command-and-control system for distributing malware, according to cybersecurity company Check Point.
In a report issued this week, the company said the use of Telegram for attacks provides criminals with a number of operational advantages. "Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools. Attackers can remain anonymous as the registration process requires only a mobile number."
"The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines. Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally," Check Point said.
The Israeli company noted that the platform's popularity has spiked this year due to controversial changes in the privacy settings of its rival WhatsApp. Telegram was installed 63 million times in January alone, making it the world's most downloaded app that month, and currently has over 500 million monthly active users worldwide.
In its report, Check Point said that over the past three months its research department has seen over 130 attacks using a new variant of malware dubbed ToxicEye. The remote access trojan "is spread via phishing emails containing a malicious .exe file. If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge," the report said.
Among the key capabilities of the trojan, Check Point said, are locating and stealing passwords, computer information, browser history and cookies; deleting and transferring files; killing PC processes and taking over the PC’s task manager; deploying a keylogger; recording audio and video of the victim’s surroundings via the PC’s microphone and camera; hijacking the contents of the clipboard; and encrypting the victim’s files.
According to Check Point, individuals should take the following steps to protect themselves and determine whether their systems have been infected:
- Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system.
- Monitor the traffic generated from PCs in your organization to a Telegram C&C – if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise
- Beware of attachments containing usernames – malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and never open the attachment nor reply to the sender.
- Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and/or a phishing email.
- Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
- Deploy an automated anti-phishing solution – Minimizing the risk of phishing attacks to the organization requires AI-based anti-phishing software capable of identifying and blocking phishing content across all of the organization’s communication services (email, productivity applications, etc.) and platforms (employee workstations, mobile devices, etc.). This comprehensive coverage is necessary since phishing content can come over any medium, and employees may be more vulnerable to attacks when using mobile devices.