![]() The text file then is uploaded to attacker’s Telegram account.īy navigating to “User Data\Default\Cookies”, ToxicEye iterates through each browser looking for cookie value, host, name, path, expiry date, and secure flag. ![]() It then saves everything as “bookmarks.txt”. ToxicEye performs a similar action with bookmarks by navigating to “User Data\Default\Bookmarks” looking for URL, name, and date the bookmark was added. It saves that output to a file called “history.txt” which is then uploaded to the attacker’s Telegram account. It looks for URL, title, visits, and date. To obtain a user’s web history, the malware navigates to “User Data\Default\History” and iterates through each browser. All this information is then saved as “credit_cards.txt” and uploaded to the attacker’s Telegram account. It then iterates through each browser looking for credit card number, name, expiry year, and month. To harvest credit cards, the malware will navigate to “\User Data\Default\Web data\”. Operating Systemįigure 11: UploadFile function Data Exfiltration The sample we analyzed contains an anti-analysis mechanism to perform checks to see whether it is being run in a virtual environment, and also checks for antivirus products installed on the user’s machine. Exfiltrated data is uploaded from the victim’s machine to the attacker’s Telegram account. It can also perform keystroke logging and can listen or record through the user’s microphone. It harvests a treasure trove of valuable content from the victim’s local machine, including the user’s hostname, username, passwords, Internet browsing history, desktop contents, saved bookmarks, cookies, and any credit card data stored in the user’s web browser. The malware abuses the Telegram messaging platform as its command and control (C2) server. The source code is publicly available on GitHub by LimerBoy, aka Imperator Vladimir from Ukraine: It has data exfiltration, keylogging, and spyware functionality. ToxicEye RAT was first seen in the wild in mid 2020.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |