Understanding CYBEREYE RAT Builder: Capabilities and Implications

CyberEye, also known as TelegramRAT, is a modular .NET-based Remote Access Trojan that uses Telegram Bot API for command and control, enabling stealthy surveillance and data theft without requiring attacker infrastructure. Its capabilities include credential harvesting, defense evasion by disabling Windows Defender, clipboard hijacking, and persistence via scheduled tasks, making it a significant threat for users and organizations. #CyberEye #TelegramRAT #TelegramBotAPI

Keypoints

CyberEye is a modular RAT builder that uses a GUI to customize payloads with features like keylogging, file grabbing, and persistence mechanisms.
It uses Telegram Bot API as its command-and-control (C2) channel, allowing attackers to control infected machines remotely and exfiltrate stolen data.
The malware exhibits advanced defense evasion, including disabling Windows Defender via PowerShell and registry modifications, and sandbox/virtualization detection.
Credential theft modules target browsers, Telegram, Discord, Steam, FTP clients, and clipboard cryptocurrency wallets to harvest sensitive information and hijack transactions.
Persistence is achieved by installing high privilege scheduled tasks and copying the malware to hidden locations for long-term presence on victims’ systems.
The malware developers distribute CyberEye publicly via GitHub and Telegram channels, targeting novice threat actors with plug-and-play functionality.
Mitigation recommendations include blocking Telegram Bot API traffic, restricting PowerShell, enforcing application whitelisting, and monitoring access to credential stores.

MITRE Techniques

[T1204.002] User Execution: Malicious File – CyberEye is delivered via a malicious executable with user execution required (“User Execution: Malicious File”).
[T1053.005] Scheduled Task/Job: Scheduled Task – The malware installs itself as a scheduled task triggered at user logon for persistence.
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – Uses PowerShell scripts to disable Windows Defender (“PowerShell’s Defender module to turn off specific protections”).
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Persistence via registry run keys to maintain execution after reboot.
[T1112] Modify Registry – Disables Defender features by editing registry keys under HKLMSOFTWAREPoliciesMicrosoftWindows Defender.
[T1562.001] Disable or Modify Security Tools – Disables Windows Defender real-time protection and tamper protection features.
[T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – Uses time checks and module presence to detect and evade sandbox or virtualized environments.
[T1555.003] Credentials from Password Stores: Chromium Credential Harvesting – Extracts saved browser passwords and cookies from Chromium-based browsers.
[T1057] Process Discovery – Checks running processes such as Telegram for targeted data theft.
[T1012] Query Registry – Uses registry queries to detect environment and manage persistence.
[T1113] Screen Capture – Captures desktop screenshots as part of data collection.
[T1005] Data from Local System – Collects files from desktop and application folders for exfiltration.
[T1102.002] Web Service: External Service (Telegram Bot API) – Uses Telegram bot API for command and control communications.
[T1041] Exfiltration Over C2 Channel – Exfiltrates stolen data via Telegram API messages and file uploads.

Indicators of Compromise

[File Hashes] Malware samples – MD5 e6091d3b4d8ea77ba341e21d1d60b2d0, SHA256 e0ac9404023867022db140d5737b8cb8310ff677debfc89be27bfa9616eacc92; MD5 333e2a6c9920a2883eab4e37ad4ac490, SHA256 e58d135ff9a2d93b16910dbe938542b842eb145bf0f16cdd7edd9d60db1df9ce.
[Scheduled Task Name] Persistence tactic – Scheduled task named “Chrome Update” installed with high privileges to evade detection.
[File Paths] Persistence and data theft – Copies executable to hidden directories under AppData, and targets files like Chrome’s Login Data, Telegram’s tdata folder, Discord Local Storage leveldb, Steam’s loginusers.vdf, and FileZilla’s recentservers.xml.