ToxicEye Malware: Features and Analysis

ToxicEye Malware is an advanced type of malware currently active all around the world. In this analysis we delve deep inside it’s core to better understand it’s modus operandi and how to defeat it.

ToxicEye Malware: Basic Features

ToxicEye Malware: Using Telegram bot as a C&C server

Telegram is the encrypted messaging service and  malware that uses Telegram as a command and control channel typically uses the Telegram Bot API for communications.

ToxicEye Malware

ToxicEye Malware: Remote control

ToxicEye use spyware functions and grab victims webcam, desktop screenshots, audio records and compress as zip archive those stolen files for sending back to attacker.

ToxicEye Malware

ToxicEye Malware: Keylogger

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program.

ToxicEye Malware

ToxicEye Malware: Password and Document stealer

After victim clicks to the Malware our attacker can collect various saved data from users machine such as Documents,Credit Cards,Steam,Discord,Telegram, FileZilla and Browser data (Cookies,History,Bookmarks,Passwords) , malware author also scan most used web browser and target them too (Opera, Brave, Yandex etc …) by their default paths on Windows machine.

ToxicEye Malware

ToxicEye Malware: Ransomware (*crypt)

Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. ToxicEye found and encrypts most important files for victim as shown in source code, also there is different types of crypto money address for receive money from victim.

ToxicEye Malware

Easy to use for Script Kiddie

Open source malware samples often use guide, user manuals or compiling guide for the attackers and this tools can really harm victims they are not really sophisticated and easy to use but at the end this tools are open in public and even 13 years old can change the source code and use various packer or obfustication techniques for spreading.

ToxicEye Malware

Browser History stealer

Attacker also get browser history data the main reason for doing this sometimes victim put their passwords on unsecure web sites and those web sites store users password on plaint text in URL or secret user tokens (often peoples use one password in each accounts) also this can be really powerful intelligence gathering for the victim and attacker can demonstrate some Phishing attack for victim or victims friends.

ToxicEye Malware

ToxicEye Malware: Static Properties Analysis

File Identifier : Generic CIL Executable (.NET, Mono, etc.)

Hash :

MD5    01D96B9F56AF9F1707710AFA9BCF0DE4

SHA1  FCDA030D6DA2CC5CF54693940439789713C5B635

IP Traffic:

173.194.214.139 (ICMP)  –  “google.com”

149.154.167.220 (ICMP)  –  “telegram.org”

149.154.167.220:443 (TCP) – “telegram.org”

ToxicEye Malware: Behavior Analysis

Found potential URL in binary/memory (https://ghostbin.co/paste/6bn6p):

Those URL’s contain as plaintext as shown in blow and malware use those link to perform attacks , gathering information from victim machine and for C&C server using Telegram API.

ToxicEye Malware

Interesting Strings (https://ghostbin.co/paste/z29gm):

Persistence via Windows Task Scheduler and hide as a Chrome Update.

“C:\Windows\System32\schtasks.exe” /create /f /sc ONLOGON /RL HIGHEST /tn “Chrome Update” /tr “C:\Users\ToxicEye\rat.exe”

 

Dropper

C:\Users\ToxicEye\rat.exe

 

Delete specific temp file

“C:\Windows\System32\cmd.exe” /C C:\Users\admin\AppData\Local\Temp\tmp3E0C.tmp.bat & Del C:\Users\admin\AppData\Local\Temp\tmp3E0C.tmp.bat

 

Kill TelegramRat.exe in process tree and start rat.exe

Tasklist  /fi “PID eq 3568”

 

Various interesting strings for attack vectors

\\CommandCam.exe

\\discord\\Local Storage\\leveldb\\

\\FileZilla\\

\\fmedia\\

\\keylogs

\\keylogs.txt

\\Local State

\\root\\SecurityCenter2

\\tdata\\

\\Telegram Desktop\\tdata\\

\\User Data\\Default\\Bookmarks

\\User Data\\Default\\Cookies

\\User Data\\Default\\History

\\User Data\\Default\\Login Data

\\User Data\\Default\\Web data

\CommandCam.exe

\keylogs.txt

[!] Failed load libraries, not connected to internet!

[!] Retrying connect to api.telegram.org

[!] Retrying connect to internet…

[!] Shutdown signal received..

[!] Stopping command listener thread

[+] Clipper is starting…

[+] Connected to api.telegram.org

[+] Copying to system…

[+] Installing to autorun…

[+] Process checker started

[+] Restarting command listener thread

[+] Set

Touches files in the Windows directory (https://ghostbin.co/paste/zdfob):

This files are Windows OS files and malware can reach them for getting more information about system

ToxicEye Malware

Reads information about supported languages:

Windows have default Registry for store data about OS and other software’s Malwares often use those and manipulate specific strings, collect data about victim machine, make persistence itself and much more.

“TelegramRAT.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE”; Key: “00000409”)

 

 

 

 

Possibly tries to implement anti-virtualization techniques:

ToxicEye have some interesting feature for make hard to analyses, attacker can manage this in config file, malware don’t start on VirtualBox environments and we use these environments for avoid infect my machine and make analyses more secure way.

 

“inSandboxie” (Indicator: “sandboxie”)
“PreventStartOnVirtualMachine” (Indicator: “virtualmachine”)
“inVirtualBox” (Indicator: “virtualbox”)
“Sandboxie:” (Indicator: “sandboxie”)
“VirtualBox:” (Indicator: “virtualbox”)
“VirtualBox” (Indicator: “virtualbox”)
“\nSandboxie:” (Indicator: “sandboxie”)
“\nVirtualBox:” (Indicator: “virtualbox”)
“vmware” (Indicator: “vmware”)
“VMware” (Indicator: “vmware”)
“VBox” (Indicator: “vbox”)

 

Try to find .dll used on SandBox’s and search Strings used from VirtualBox (VIRTUAL,Vbox,vmware,etc…) for avoid Malware Analysis and not start in those systems (attacker can change this option as an settings in config file ).

ToxicEye Malware

Try to checks for the presence of an Antivirus engine:

Attacker can see which Anti Virus product used on victim machine.

“DetectAntivirus” (Indicator: “antivirus”)
“Comodo” (Indicator: “comodo”)

 

Try to elevate privileges:

Sometimes attacker needs some privileges for access and control the machine if victim machine not have admin rights on device try to make him admin but this option didn’t work on my test Windows 10 machine . ToxicEye Malware

Command and Control Commands (Full features of ToxicEye):

Those commands are sent by the attacker from Telegram app BOT and attacker can receive data from victim machine using Telegram API.

Telegram.sendText(

“\n 🌎 INFORMATION:” +

“\n /ComputerInfo” +

“\n /BatteryInfo” +

“\n /Location” +

“\n /Whois” +

“\n /ActiveWindow” +

“\n” +

“\n🎧 SPYING:” +

“\n /Webcam <camera> <delay>” +

“\n /Microphone <seconds>” +

“\n /Desktop” +

“\n /Keylogger” +

“\n” +

“\n📋 CLIPBOARD:” +

“\n /ClipboardSet <text>” +

“\n /ClipboardGet” +

“\n” +

“\n📊 TASKMANAGER:” +

“\n /ProcessList” +

“\n /ProcessKill <process>” +

“\n /ProcessStart <process>” +

“\n /TaskManagerDisable” +

“\n /TaskManagerEnable” +

“\n” +

“\n /MinimizeAllWindows” +

“\n /MaximizeAllWindows” +

“\n” +

“\n💳 STEALER:” +

“\n /GetPasswords” +

“\n /GetCreditCards” +

“\n /GetHistory” +

“\n /GetBookmarks” +

“\n /GetCookies” +

“\n /GetDesktop” +

“\n /GetFileZilla” +

“\n /GetDiscord” +

“\n /GetTelegram” +

“\n /GetSteam” +

“\n” +

“\n💿 CD-ROM:” +

“\n /OpenCD” +

“\n /CloseCD” +

“\n” +

“\n💼 FILES:” +

“\n /DownloadFile <file/dir>” +

“\n /UploadFile <drop/url>” +

“\n /RunFile <file>” +

“\n /RunFileAdmin <file>” +

“\n /ListFiles <dir>” +

“\n /RemoveFile <file>” +

“\n /RemoveDir <dir>” +

“\n /MoveFile <filr> <file>” +

“\n /CopyFile <file> <file>” +

“\n /MoveDir <dir> <dir>” +

“\n /CopyDir <dir> <dir>” +

“\n” +

“\n🚀 COMMUNICATION:” +

“\n /Speak <text>” +

“\n /Shell <command>” +

“\n /MessageBox <error/info/warn> <text>” +

“\n /OpenURL <url>” +

“\n /SetWallpaper <file>” +

“\n /SendKeyPress <keys>” +

“\n /NetDiscover <to>” +

“\n /Uninstall” +

“\n” +

“\n🔊 AUDIO: ” +

“\n /PlayMusic <file>” +

“\n /AudioVolumeSet <0-100>” +

“\n /AudioVolumeGet” +

“\n” +

“\n💣 EVIL:” +

“\n /BlockInput <seconds>” +

“\n /Monitor <on/off/standby>” +

“\n /DisplayRotate <0,90,180,270>” +

“\n /EncryptFileSystem <password>” +

“\n /DecryptFileSystem <password>” +

“\n /ForkBomb” +

“\n /BSoD” +

“\n /OverwriteBootSector” +

“\n” +

“\n💡 POWER:” +

“\n /Shutdown” +

“\n /Reboot” +

“\n /Hibernate” +

“\n /Logoff” +

“\n” +

“\n💰 OTHER:” +

“\n /Help” +

“\n /About” +

 

Overwrite MBR :

Overwrites the Master Boot Record of a machine and leaving it unbootable , attacker can cause damage on victims machine used for trolling the victims.

ToxicEye Malware

Try to Anti Reverse Engineering:

As an option attacker can choose don’t start the Malware in a virtual machine environment also scan process tree and if there is a packet analyzer such as Wireshark do same maneuver and make harder to analysis.

Steal specific application data:

For identify if user have this Software’s, Malware using default path of this Software’s or process names and if Malware find it try to steal victim credentials and sensitive data.

Telegram:

ToxicEye Malware

 

Steam:

ToxicEye Malware

Spyware:

Malware use third party software’s for Webcam screenshot and Record microphone and save these files inside %TEMP% folder for revive back to attacker with Telegram API , CommandCam.exe and audio.zip downloaded from URLs and executed in system for performing this attacks.

ToxicEye Malware

ToxicEye Malware

MITRE ATT&CK Techniques Detection:

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ToxicEye have those capability’s but specially the Privilege Escalation one not working in Windows 10 machine.

ToxicEye Malware

Weaknesses about this Malware:

1-) Developed with C#.

2-) We can catch important Strings such as (TelegramToken and TelegramChatID) and stop C&C server.

3-) Malware author don’t use any Packer or Obfuscation technique for hide Strings and attack vectors.

4-) Highly flagged as Malware from various Anti-Virus software’s especially same attack vectors used from other Malwares with same source code.

5-) Not tested from different Windows version and not stable for connection with victim.

Cyber Security News 18/01/2021
Cyber Security News 19/01/2021

Pronto intervento Cyber Swascan

Contattaci per un supporto immediato

Il sottoscritto, in qualità di interessato DICHIARA di aver letto e compreso il contenuto della privacy policy ai sensi dell’articolo 13, GDPR. ACCONSENTE al trattamento dei Dati in relazione all’invio da parte del Titolare di comunicazioni afferenti alla gestione di eventuali misure precontrattuali, preordinate alla stipulazione e/o esecuzione del contratto con il Cliente nonché all'adempimento dei relativi obblighi.
Il consenso prestato potrà essere revocato in qualsiasi momento contattando il Titolare ai recapiti presenti nella citata privacy policy.