Security News > 2021 > April > Cybercriminals Using Telegram Messenger to Control ToxicEye Malware
Adversaries are increasingly abusing Telegram as a "Command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.
In September 2019, an information stealer dubbed Masad Stealer was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel.
For a start, Telegram is not only not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, given the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world.
Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control server and upload data to it.
Specifically, the attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable.
This.EXE file is then injected into a decoy Word document that, when opened, downloads and runs the Telegram RAT. "We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations," Check Point R&D Group Manager Idan Sharabi said.