ToxicEye Shows Messaging Apps Can Be a Gateway to Cyberattacks

A Remote Access Trojan (RAT) dubbed ‘ToxicEye’ continues to maintain wide popularity in the underground three years after its initial release. This malware, used to infect devices via the Telegram messaging app, provides threat actors complete control over a victim’s device.

Telegram, the most downloaded app across both Android and iOS devices in January 2021, has 500 million monthly users and 55 million daily active users. The application gained significant popularity in early 2021 amid privacy concerns surrounding competitor platform WhatsApp’s policy update, driving users to seek a more secure alternative. Requiring only a mobile number to register a new account, Telegram provides an appealing medium for users seeking to conceal their identity and operate under the cloak of anonymity.

Over the past year, Cybersixgill has collected more than 1.2 billion intelligence items from Telegram to research malicious activity. In most cases, observed threats on this platform involve the sale of compromised payment cards, leaked data and compromised accounts, terrorism and physical threats, among others. The degree of control provided by ToxicEye over victims’ devices, combined with the accessibility of the RAT and the ease of its use for entry-level threat actors, constitute unmistakable reasons for concern. This trojan poses a unique and seemingly perennial threat.

Winning the RAT Race: The Story of ToxicEye

Companies yet to block employee access to at-risk messaging platforms like Telegram on their work devices become especially vulnerable. If an employee opens a malicious link that downloads ToxicEye to their work device, threat actors gain direct access to company data. With internal company data exposed to exploitation, the ramifications could be catastrophic.

The history of RATs

Remote access programs have existed for as long as the advent of the internet itself. Many of the early iterations were built for legitimate purposes, however, it is important to differentiate between a remote access trojan and a remote access administrative tool. The latter is used by system administrators to solve IT problems by gaining access to a user’s computer. The former is inherently malicious in practice, often including features of anonymity, and is installed unbeknownst to users without their consent.

Some of the early RATs were fairly benign, simply designed to allow friends to prank each other by ejecting a disk drive or closing an active software program. Over the years, however, RATs have become popular cyberhacking tools and remain a veritable threat in the modern cyber threatscape. According to researchers, there were roughly 70 RATs circulating in the 2000s, a number that ballooned to more than 250 in the 2010s.

While many RATs wax and wane in popularity, the new generation of malware offers a slew of new features. ElectroRAT, for example, employed a trojan in an attempt to infiltrate digital wallets containing cryptocurrency. ToxicEye, now three years old, was designed with ease of use in mind, which explains why it still has significant traction.

Why ToxicEye is still a threat

Notable dark web forums like “Cracked” and “Raidforums” show ToxicEye is still widely disseminated. As of June 2021, a May 2020 post on “Cracked” that shared ToxicEye remained popular.

ToxicEye still has the potential to cause severe damage to any victim that engages with the trojan. Recent cyberattacks have shown the extent to which companies may be vulnerable and have even inspired proposed legislation, like the “Cyber Incident Notification Act,” which would require companies to disclose to the government when an attack is carried out.

A core priority in the design of ToxicEye was the ease of use for threat actors. As a result, even the most novice threat actor becomes a significant threat, while skilled threat actors become even more dangerous, equipped with a powerful tool capable of turning over total control of a victim’s device and accessing potentially sensitive data. Because this threat remains, it is imperative that companies are vigilant, proactively taking steps to reduce the likelihood of an attack.

Educating employees on how to identify potential threats is only the start. In this particular case, searching for “C:UsersToxicEyerat.exe” would reveal whether or not a device has been infected. Simply defending against the identified trojan, however, is not enough. To defend against new tools and programs gaining traction on the underground, surveillance of threat actors is key. By monitoring the masterminds behind the malware, you gain advanced warnings to emerging threats, thereby allowing you to prepare for the next large spike in attacks.

To learn more about ToxicEye, download our full report.