Tox is a peer-to-peer serverless instant messaging services that uses NaCl for encryption and decryption.
Uptycs researchers reported that threat actors have started using the Tox peer-to-peer instant messaging service as a command-and-control server. Tox has been used in the last months by threat actors as a communication channel between ransomware gangs and their victims.
The researchers recently discovered an ELF sample that acts as a bot and can run scripts on the victim machine using the Tox protocol.
The binary is written in C and has only statically linked the c-toxcore library.
The shell_script variable analyzed by the experts kills certain programs that are known to infect linux servers and deletes the crontab, which is often used by malicious code to maintain persistence. A function called start_routine1 opens a file with a random filename in /var/tmp/ and dumps the contents of shell_script in there and later executes it.
Experts reported that the dropped shell script contains commands to kill processes associated with cryptominer.
The pthread_create in the main function also called the rstart_routine2 function which sends the output of every command over UDP to the Tox recipient. The function could execute multiple commands on the machine, including nproc, whoami, and machine-id.
The main function also includes a set of functions to set up the P2P instant messaging service on the victim’s machine, such as tox_new, tox_self_set_name, and tox_self_set_status_message.
“While the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a coinminer campaign. We are observing it for the first time where Tox protocol is used to run scripts onto the machine.” concludes the report. “We have seen attackers using Tox as a communication mechanism in the past, like in HelloXD ransomware, where the attacker used Tox and onion-based messengers. Therefore, it becomes important to monitor the network components involved in the attack chains.“
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, bot)
[adrotate banner=”5″]
[adrotate banner=”13″]