ToxicEye is a new remote access Trojan (RAT) malware that has been used for more than 130 attacks over the past three months. Check Point Research has found that this new multi-functional remote access trojan (RAT) is spread via phishing emails containing a malicious .exe file.
The attack works by opening the attachment allowing ToxicEye to install itself on the user’s PC and perform a range of exploitive tasks while the victim is oblivious. These include:
- Stealing data
- killing processes on the PC
- Deleting or transferring files
- Encrypting files for ransom purposes
- Hijacking the PC’s microphone, camera to record audio, video.
ToxicEye is controlled by attackers over Telegram, communicating with the attacker’s C&C server and exfiltrating data to it.
According to researchers, the Telegram RAT functionality has been observed and a number of key capabilities have been characterized which enable us to understand with what intent it was created. The recent attacks have shown that it includes data-stealing features, more specifically, the RAT can locate and steal:
- Browser cookies
- Browsing history
- Computer information
ToxicEye also has file system control which allows it to delete and transfer files or kill processes and take over the PC’s task manager.
More importantly, I/O hijacking was observed which means that the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via the PC’s microphone and camera, or hijack the contents of the clipboard.
Lastly, it appears to also have ransomware features that give it the ability to encrypt and decrypt victim’s files.
The stolen data is controlled by the attacker using ToxicEye’s infection chain and once in control of the data, they can manipulate it however they wish to.
Capabilities of ToxicEye (Image: Checkpoint)
In a blog post, the Check Point Research team stated that one of the main reasons why the hackers chose to use Telegram for this attacking campaign was because the unique communications features of Telegram allow the attacker to easily exfiltrate data from the victim’s PC and transfer new malicious files to infected machines.
Researchers encourage hyper-vigilance when it comes to scrutinizing emails. Recipients need to always check the recipient line of an email that appears suspicious before engaging with it, Check Point said.
If there is no recipient named or the recipient is unlisted or undisclosed, this likely indicates the email is a phishing or malicious message.