Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations.
The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact (“72client”) that functions as a bot and can run scripts on the compromised host using the Tox protocol.
Tox is a serverless protocol for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library (NaCl, pronounced “salt”) for encryption and authentication.
Tox has been historically used by ransomware actors as a communication mechanism, but the latest development marks the first time the protocol is being used to run arbitrary scripts on an infected machine.
The disclosure also arrives amid reports that the decentralized file system solution known as IPFS is being increasingly used for hosting phishing sites in an effort to make takedowns more difficult.
