CyberEye Campaign Uncovered: .NET RAT Targets Credentials & Sessions via Telegram API

CyberEye (aka TelegramRAT) is a .NET-based Remote Access Trojan (RAT) with modular capabilities designed for data theft, surveillance, and stealthy persistence. Built with a user-friendly GUI, it allows adversaries to generate customized payloads using a builder interface. It abuses Telegram Bot API for command-and-control, removing the need for attacker-owned infrastructure and making attribution and detection more difficult.

Severity Level: High

Threat Overview

1. Threat Actor: Associated with aliases @cisamu123 and @CodQu, active on GitHub and Telegram

2. CyberEye RAT Capabilities:

• Keylogging, screenshot capture
• Remote shell, file manipulation
• Persistence via registry
• Download and execution of additional payloads
• Evasion via process hollowing and anti-VM checks

3. Affected Regions: Asia-Pacific, Eastern Europe, South Asia, Middle East.

4. Affected Sectors: Government & Defense, Manufacturing, Telecom, Financial Services, Healthcare, Energy.

Attack Flow

1. Delivery & Execution: CyberEYE is delivered through spear-phishing campaigns or malicious attachments, often masquerading as legitimate files. The attacker may also utilize cracked RAT builders or compromised sites to propagate the tool. Executed .exe file begins infection

2. Installation & Persistence: Drops itself into hidden %AppData% folder. Registers a scheduled task as “Chrome Update”. UAC bypass attempt if admin privileges required.

3. Command and Control: Establishes communication via Telegram Bot API. Waits for commands like /computerinfo, /keylogger_on, etc. Sends back stolen data (e.g., credentials, cookies, tdata folders).

4. Privilege Escalation: Built-in features such as UAC bypass modules allow privilege escalation for deeper system access. Uses system calls to relaunch itself with elevated privileges.

5. Defense Evasion: CyberEYE supports obfuscation, anti-VM/sandbox, anti-debugging, and encryption techniques to avoid detection. The builder enables creation of fully undetectable binaries (FUD).

6. Collection & Exfiltration: CyberEYE collects system information, browser data, screenshots, session tokens, webcam captures, and sensitive files. Compresses and sends stolen content via Telegram API. Monitors clipboard and hijacks crypto wallet addresses.

Recommendations

1. Block Telegram Bot API traffic at the firewall or proxy level.
2. Use SSL/TLS inspection to detect and alert on encrypted Telegram traffic over HTTP(S) from endpoints not whitelisted for Telegram use.
3. Implement DNS filtering to detect unusual resolutions to Telegram-related domains from endpoints that shouldn’t use them.
4. Disable PowerShell for non-admin users or use Constrained Language Mode to prevent execution of Defender-tampering scripts.
5. Enforce strict policies to block ilasm.exe or monitor its invocation. This tool is used to compile IL code into malware executables.
6. Use Application Control/Whitelisting (e.g., AppLocker or WDAC) to prevent unauthorized execution from AppData, Temp, or other non-standard locations.
7. Clear browser-stored credentials and encourage the use of secure password managers.
8. Deploy endpoint protection that monitors access to Chrome, Edge, or Opera SQLite credential stores (Login Data, Cookies, Web Data).
9. Detect unauthorized access or copying of tdata (Telegram), Local Storage (Discord), and loginusers.vdf (Steam).
10. Note the risks of executing unknown .exe files received through email, chat, or file-sharing platforms.
11. Regularly audit installed software to identify and remove unauthorized .NET-based tools that may act as malware builders.
12. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/b09848a5fbafa1024baccf559f917481d50afc47205ba64227e5d7629e557f5f/iocs

Source:

• https://gbhackers.com/windows-defender-bypass-using-powershell-and-registry-edits/
• https://www.cyfirma.com/research/understanding-cybereye-rat-builder-capabilities-and-implications/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.