ToxicEye is a recent multi-functional remote access Trojan (RAT) malware. It has been utilized for more than 130 attacks over the past three months. It is mainly spread through phishing emails containing a malicious .exe file. When you open the attachment given in the email, ToxicEye automatically installs in the victim’s devices and carries out the following malicious activities, with the victim being totally unaware of all this;
- Data theft
- Encryption of files
- Deleting and transferring of files.
- Attacking and killing processes on the PC
- Hijacking the PC’s microphone, camera to record audio, video
Attackers control the ToxicEye RAT over Telegram and IM platform is being used by them to exfiltrate data. Researchers came to know that the ToxicEye RAT configuration file has a Telegram bot and it is compiled into an executable file.
According to the analysis, published by checkpoint;
“The attacker first creates a Telegram account and a Telegram bot. A Telegram bot account is a special remote account with which users can interact by Telegram Chat or by adding them to Telegram Groups, or by sending requests directly from the input field by typing yhe bot’s Telegram username and a query. The bot js embedded into the ToxicEye Rat configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.ese’). Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.”
There are different ways that RAT could be delivered. Experts noticed that RAT can also be delivered by opening a dangerous document by pressing on ‘enable content’. To determine if your system has been infected search for a file called C:\Users\ToxicEye\rat.exe its presence is an indicator of compromise.
The ToxicEye RAT carries out multiple functions like;
- Scanning and steal credentials, computer OS data, browser history, clipboard content, and cookies.
- The malware also lets attackers transfer and delete files.
- It enables them to kill PC processes and take over the task manager.
- The malware can also deploy keyloggers, hijack the microphone and camera.
- It also hacks the contents of the clipboard.
- RAT implements Ransomware features like it allows to encrypt and decrypt victim’s files.
The report further explains;
“The developers who publish these tools disguise their true purpose by defining them as “Remote Administration Tool” or “for educational purpose only”, although some of their characteristics are often found in malicious Trojans. Given that Telegram can be used to distribute malicious files, or as a C&C channel remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”