Threat Thursday: This RAT Keeps a ToxicEye on Your Data

The sample we analyzed contains an anti-analysis mechanism to perform checks to see whether it is being run in a virtual environment, and also checks for antivirus products installed on the user's machine.

The malware abuses the Telegram messaging platform as its command and control (C2) server. It harvests a treasure trove of valuable content from the victim's local machine, including the user's hostname, username, passwords, Internet browsing history, desktop contents, saved bookmarks, cookies, and any credit card data stored in the user's web browser. It can also perform keystroke logging and can listen or record through the user's microphone. Exfiltrated data is uploaded from the victim's machine to the attacker's Telegram account.

ToxicEye RAT was first seen in the wild in mid 2020. It has data exfiltration, keylogging, and spyware functionality. The source code is publicly available on GitHub by LimerBoy , aka Imperator Vladimir from Ukraine:

Risk and Impact

ToxicEye is written in C++ and compiled as a .NET executable that is only about 112KBs. The file itself is not obfuscated or packed:

During the static analysis, strings within the file reveal a lot of keylogging and spyware type of functionality:

Each sample contains the attacker's Telegram token and Telegram Chat ID, which is added by the threat actor during compilation:

The sample contains an anti-analysis mechanism where it will perform checks to see whether the sample is being run in a virtual environment. First, it looks for VMware or VirtualBox:

The sample also checks to see if the sample is being run in Sandboxie:

The sample utilizes an 'AutoStealer' class to invoke a 'steal()' function to start a new thread and call each of the classes to steal a variety of different data from Internet browsers:

To harvest passwords, ToxicEye will navigate to the 'User DataDefaultLogin Data' location for each browser. It harvests the user's hostname, username, and passwords, which it will then save in a file called 'passwords.txt'. The malware then invokes a function called 'UploadFile' and uploads the 'passwords.txt' file to the attacker's Telegram account with chat ID - 1550568100.

Figure 11: UploadFile function

To harvest credit cards, the malware will navigate to 'User DataDefaultWeb data'. It then iterates through each browser looking for credit card number, name, expiry year, and month. All this information is then saved as 'credit_cards.txt' and uploaded to the attacker's Telegram account.

To obtain a user's web history, the malware navigates to 'User DataDefaultHistory' and iterates through each browser. It looks for URL, title, visits, and date. It saves that output to a file called 'history.txt' which is then uploaded to the attacker's Telegram account.

ToxicEye performs a similar action with bookmarks by navigating to 'User DataDefaultBookmarks' looking for URL, name, and date the bookmark was added. It then saves everything as 'bookmarks.txt'. The text file then is uploaded to attacker's Telegram account.

By navigating to 'User DataDefaultCookies', ToxicEye iterates through each browser looking for cookie value, host, name, path, expiry date, and secure flag. All this data is saved as 'cookies.txt' and uploaded to the attacker's Telegram.

ToxicEye will also create a copy of the victim's Desktop by compressing everything into a file called 'desktop.zip', which then is uploaded to the attacker's account and deleted from the victim's machine.

The malware then checks to see if FileZilla is installed. If it is not, it will send a message to the attacker stating that 'FileZilla is not installed'. If FileZilla is present, the malware checks for the presence of 'sitemanager.xml' and 'recentserver.xml' to get the user's FileZilla login credentials. If this is successful, the credentials are saved as 'filezilla.txt' and uploaded to the attacker.

ToxicEye then checks if a Telegram session can be found. If it can, the malware navigates to 'Telegram Desktoptdata' where it compresses the contents as 'Documents.zip' and uploads to the attacker's account, then deletes the 'tdata.zip' from the victim's machine.

To obtain a Discord token, the malware checks for presence of 'discordLocal Storageleveldbpath' looking for an LDB file containing the string 'token'. If this is found, a message is sent back to the attacker containing the victim's Discord token.

The malware then checks for the presence of a Steam process. If it can't locate this process, it sends back a message to the attacker stating that a Steam process is not running. However, if the malware can locate this process, it will look for an 'ssfn*' file (which is Steam's authorization file), a 'configloginusers.*' file, and a 'configconfig.*' file. All of these files are then zipped together into a file called called 'steam.zip'. This ZIP file is then uploaded to the attacker's Telegram account. Once it has been uploaded, the file is deleted from the victim's machine.

The malware also has a variety of other capabilities, such as:

Privilege escalation

Uninstalling itself from the victim's system

Installing or uninstalling autoruns

Enumerating the host to obtain CPU and GPU name

Determining the amount of RAM in the target machine

Obtaining hardware identification (HWID), OS version, and architecture

Checking for an Internet connection

Downloading additional files (for example, 'CommandCam.exe' which is a command-line web camera image grabber)

Listening and recording through the microphone

Performing keystroke logging

At the end of its execution, ToxicEye will cause a blue screen error (BSOD) on the machine:

