Tox Messenger and How Cybercriminals Exploit It
Introduction
The cyber threat landscape has evolved significantly in recent years, with threat actors constantly finding new ways to exploit vulnerabilities and carry out malicious activities. Ransomware groups are on the rise, and there seems to be a day without hearing about another organization falling victim. One tool that has emerged in the underground cybercriminal ecosystem is Tox Messenger, which is often used to communicate between ransomware groups and their victims.
The Transformation of Tox Messenger
Tox Messenger was initially designed as a secure and decentralized communication platform, offering users end-to-end encryption and anonymity. Its main goal was to provide an alternative to traditional messaging apps that relied on centralized servers vulnerable to surveillance and data breaches. However, cybercriminals quickly recognized the potential of Tox Messenger as a covert communication channel for their malicious operations.
Researchers from Uptycs, a leading cybersecurity firm, recently discovered that threat actors now use Tox Messenger as a command-and-control (C2) server. This shift in usage marks a significant development in the capabilities of Tox Messenger and poses new challenges for cybersecurity professionals and law enforcement agencies worldwide.
Unveiling the Tox Messenger C2 Infrastructure
Uptycs researchers stumbled upon this new malicious application of Tox Messenger while analyzing an Executable and Linkable Format (ELF) artifact called “72client.” This artifact, which exhibits bot and script execution functionality, was found to be associated with the c-toxcore library, a reference implementation of Tox Messenger. The researchers noted that the binary was written in C and statically linked to the c-toxcore library, making it easier to decompile and analyze.
Further investigation revealed that the ELF file had the ability to write a shell script to the “/var/tmp/” directory, commonly used for temporary file creation in Linux systems. The shell script could then execute commands to terminate processes related to cryptocurrency mining, indicating a potential connection to coinminer campaigns. Additionally, the ELF file could receive various commands through Tox Messenger, allowing threat actors to update the shell script or execute commands on the compromised system.
Analyzing the Implications
While the identified sample does not exhibit explicit malicious behavior, it is crucial to a larger coinminer campaign. The use of Tox Messenger as a C2 server enables threat actors to maintain covert communication channels and issue commands to compromised systems without relying on traditional centralized infrastructure. This decentralized approach complicates detection and investigation efforts for cybersecurity professionals, as it eliminates the reliance on a single point of failure.
The researchers at Uptycs emphasized the importance of monitoring network components involved in the attack chains leveraging Tox Messenger. By understanding the techniques and infrastructure employed by threat actors, cybersecurity teams can enhance their threat-hunting capabilities and develop more effective mitigation strategies.
In Short
The repurposing of Tox Messenger as a command-and-control server by threat actors highlights the constant evolution and adaptation of cybercriminal tactics. As cybersecurity professionals and organizations strive to stay ahead of these threats, it is crucial to remain vigilant, collaborate with peers, and leverage threat intelligence to identify and mitigate potential risks.
By understanding the techniques and infrastructure employed by threat actors, security teams can develop effective defense strategies and enhance their incident response capabilities. The fight against cyber threats is an ongoing battle, and continuous learning, collaboration, and information sharing are key to staying one step ahead of the adversaries.