Tox messenger leveraged as C2 server in new attack

The Hacker News reports that peer-to-peer instant messaging service Tox is now being used by threat actors as a command-and-control server instead of just a tool for communicating with victims in ransomware negotiations. Such Tox utilization was discovered by Uptycs researchers after the identification of the '72client' Executable and Linkable Format artifact with bot and script execution functionality on compromised systems using Tox. The report showed that the C-based binary was associated with the c-toxcore library, a reference implementation of Tox. Researchers also found that cryptominer-related processes could be killed by commands launched by a shell script within the ELF file. Different commands could also be received using Tox, which could also be quitted through an 'exit' command. "While the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a coinminer campaign. Therefore, it becomes important to monitor the network components involved in the attack chains," said researchers.