The Hacker News reports that peer-to-peer instant messaging service Tox is now being used by threat actors as a command-and-control server instead of just a tool for communicating with victims in ransomware negotiations.
Such Tox utilization was discovered by Uptycs researchers after the identification of the '72client' Executable and Linkable Format artifact with bot and script execution functionality on compromised systems using Tox.
The report showed that the C-based binary was associated with the c-toxcore library, a reference implementation of Tox. Researchers also found that cryptominer-related processes could be killed by commands launched by a shell script within the ELF file. Different commands could also be received using Tox, which could also be quitted through an 'exit' command.
"While the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a coinminer campaign. Therefore, it becomes important to monitor the network components involved in the attack chains," said researchers.
Significant concerns have been raised by cybersecurity experts over the leak of the LockBit 3.0 ransomware encryptor, which could be leveraged by other threat groups to create their own operations, reports The Record, a news site by cybersecurity firm Recorded Future.