Intro
Note: For the samples mentioned in here, I haven't spent much time doing in-depth analysis so I'm not super confident in my analysis. I was not able to find any sandbox results showing the samples running and getting instructions. (also I'm on vacation. I just found this idea interesting and wanted to get this blog post pushed out)
This is me. I'm not a professional malware analyst or threat intel person:
Every once in a while, someone publishes a new bot/backdoor that uses weird service or protocol to do c2 (command and control). For example, I saw someone doing c2 over reddit (there are several projects on github).
I was thinking about a protocol I'd use that doesn't require me to have a public server then I remembered that I used Tox chat many years ago so I started looking into it.
Tox can be used for chat, sharing files, audio, video, etc. You can also use Tox library to build your own client or apps too. You can find more info here: https://tox.chat/faq.html
You could potentially use Tox for C2, stealing files, etc...
I started looking into seeing if anyone was using Tox maliciously or in their malware.
Known activity
While researching, the first article I found was by Uptycs. They observed a cryptocurrency miner using Tox for C2. Screenshot below from Uptycs article. (https://www.uptycs.com/blog/threat-research-report-team/is-tox-the-new-cc-method-for-coinminers)
Next I started looking at github to see if there is anything interesting there. I found a project that uses Tox protocol for traffic tunneling. The project is called ToxTun. More info here: https://github.com/gjedeer/tuntox and here: https://hackaday.io/project/171834-wandboard-experiments/log/178822-tuntox-tunnel-tcp-connections-over-the-tox-protocol
ToxTun isn't necessarily malicious but it shows what you could do on top of Tox protocol.
Another github project I found is ToxNet ("Decentralised P2P botnet using toxcore."), This project actually does use tox for c2 and below is the screenshot provided by the author:
I don't believe I've seen anyone use ToxNet in the wild or have seen anyone write about it being used in the wild. The project can be found here: https://github.com/0x4meliorate/toxnet
I was not able to find any other write ups or projects that involve the use of Tox maliciously. It's possible that I didn't Google enough.
Interesting samples
Note: I decided to see if there are other samples I could find. I focused on Windows PE files. I have not looked at ELF files. The other issue when looking for samples is that people upload legitimate Tox clients (and related files) that run on various systems on VT (VirusTotal). For some of the samples that imported libtox library, VT sandbox results are not useful as the libraries were not on the sandbox when sample ran.
Sample 1 - "vivian":
To find samples, I looked at some of the Tox nodes on VirusTotal and looked at associated files that were marked as malicious.
One of the samples I found is 783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2. (https://www.virustotal.com/gui/file/783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2)
This file runs and drops another file and creates a service. The exe file that this sample drops seems to be the one that interacts with Tox.
The behavior is documented on VT but also here: https://vms.drweb.com/virus/?i=24040707
The second sample I came across is 648ace599bcdea491322f08616d4be9b6949f1860282b60bd0e78b64d6c4507e (https://www.virustotal.com/gui/file/648ace599bcdea491322f08616d4be9b6949f1860282b60bd0e78b64d6c4507e) and while researching the first sample, I realized that they're similar.
While running 783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2 in Triage (https://tria.ge/240920-y3p37swclc/behavioral1) I noticed that it dropped a file that's pretty much same size as the sample above.
The drive.exe dropped is 83085d79329b4951cbefdc8bf9d6b4d04accf33c25a547511efeeab4cfe3d9f2, which I uploaded here: https://www.virustotal.com/gui/file/83085d79329b4951cbefdc8bf9d6b4d04accf33c25a547511efeeab4cfe3d9f2
Both 362KB are pretty much similar and mutexlunastring mutex is seen being used:
I started researching the mutex string and was not able to find any writeups mentioning it.
At this point, I started doing just basic static analysis.
Quick strings review shows that you'd seen these kinds of commands in a backdoor/bot. There are some references to Tox in the binary but dynamic analysis also shows connections to Tox nodes.
Based on the strings, I wrote a yara rule and looked at Hybrid Analysis for more samples.
I found another sample, which was easier to analyze. It's dd2abd48e408d08f52300907a4a29783472bcdfc8e5b2954d3192dd717beeb40. https://www.virustotal.com/gui/file/dd2abd48e408d08f52300907a4a29783472bcdfc8e5b2954d3192dd717beeb40
Screenshot below shows some of the available commands:
lpStartAddress refers to the place where code for that specific command is. This for example is for sysinfo:
Sample 2 - "fffline":
I decided to start looking for samples differently. I decided to look for binaries using libtox.
One of the samples I found is bb1468383e488f7e90c2900c9a7e65aae856d93cee75130effa300dc4dfec8b6 https://www.virustotal.com/gui/file/bb1468383e488f7e90c2900c9a7e65aae856d93cee75130effa300dc4dfec8b6
This was named bot.exe on VT and one of the AV's marked this as rev shell so it seemed interesting.
Tox library being used:
Strings look very interesting. I think fffline is supposed to be "offline".
It appears that Tox name is being set to Evil and status is being set to "hacking corps for money and for fun!":
This function is also interesting as it suggests command execution:
Sample 3:
The last sample I found while looking at samples importing libtox is this: d204f359b5c990575a2bf7a2babfe611997f985ef94bc39393aab955516382a5. https://www.virustotal.com/gui/file/d204f359b5c990575a2bf7a2babfe611997f985ef94bc39393aab955516382a5
This was interesting because it was uploaded as "windows_payload.exe" on VT and there is just one detection right now.
Based on quick analysis of this sample, it might be taking commands and returning the output but I'm not 100% sure.
While reviewing this sample a bit more, I noticed that this sample and sample 2 have strings similar to Tox Echo Bot example. Maybe they partially used the Echo bot code.
References in the sample:
Echo bot example https://gist.github.com/nurupo/8c6c1d455b39b0830668 :
Detection
I don't think Tox will be used widespread because implementing it into malware is pain in the ass compared to currently existing solution for c2. I do think looking for use of Tox in malicious files might lead to finding interesting samples.
Yara can be used to find samples/do detection.
The rules I made are here: https://github.com/BoredHackerBlog/signatures/blob/main/yara/tox.yar They're not the best rules but good enough for what I wanted to do.
You can use yara to look for the following things:
- Library imports (libtox, libtoxcore, other libraries/bindings (go, python, etc))
- Tox related function names from various libraries
- Node related info such as IP, domain names, or public keys
Network traffic analysis can be used for detecting Tox usage as well.
There are some suricata rules here: https://rules.evebox.org/search?q=tox https://rules.evebox.org/search?q=tox.chat
There are Tox node lists that exist too. Looking for traffic to Tox node could be interesting.
One of the other things to keep in mind is that a lot of the nodes seem to be using port 33445.
Nodes:
https://wiki.tox.chat/users/nodes
Finally, there will be false positives. As mentioned earlier, a lot of people have uploaded legitimate Tox clients or related files from various systems to VT. I'm sure there are people compiling their own clients as well, which sometimes get uploaded to VT.
Maybe looking for Tox and other behavior or file properties is a better solution for reducing FPs.
End
For anyone interested, I'd recommend doing proper analysis and maybe also looking for Linux/ELF samples too. I have not looked at use of golang or python libraries yet either.
