Intro
Note: For the samples mentioned in here, I haven't spent much time doing in-depth analysis so I'm not super confident in my analysis. I was not able to find any sandbox results showing the samples running and getting instructions. (also I'm on vacation. I just found this idea interesting and wanted to get this blog post pushed out)
This is me. I'm not a professional malware analyst or threat intel person:
Every once in a while, someone publishes a new bot/backdoor that uses weird service or protocol to do c2 (command and control). For example, I saw someone doing c2 over reddit (there are several projects on github).
I was thinking about a protocol I'd use that doesn't require me to have a public server then I remembered that I used Tox chat many years ago so I started looking into it.
Tox can be used for chat, sharing files, audio, video, etc. You can also use Tox library to build your own client or apps too. You can find more info here: https://tox.chat/faq.html
You could potentially use Tox for C2, stealing files, etc...
I started looking into seeing if anyone was using Tox maliciously or in their malware.
Known activity
While researching, the first article I found was by Uptycs. They observed a cryptocurrency miner using Tox for C2. Screenshot below from Uptycs article. (https://www.uptycs.com/blog/threat-research-report-team/is-tox-the-new-cc-method-for-coinminers)
Next I started looking at github to see if there is anything interesting there. I found a project that uses Tox protocol for traffic tunneling. The project is called ToxTun. More info here: https://github.com/gjedeer/tuntox and here: https://hackaday.io/project/171834-wandboard-experiments/log/178822-tuntox-tunnel-tcp-connections-over-the-tox-protocol
ToxTun isn't necessarily malicious but it shows what you could do on top of Tox protocol.
Another github project I found is ToxNet ("Decentralised P2P botnet using toxcore."), This project actually does use tox for c2 and below is the screenshot provided by the author:
I don't believe I've seen anyone use ToxNet in the wild or have seen anyone write about it being used in the wild. The project can be found here: https://github.com/0x4meliorate/toxnet
I was not able to find any other write ups or projects that involve the use of Tox maliciously. It's possible that I didn't Google enough.
Interesting samples
Note: I decided to see if there are other samples I could find. I focused on Windows PE files. I have not looked at ELF files. The other issue when looking for samples is that people upload legitimate Tox clients (and related files) that run on various systems on VT (VirusTotal). For some of the samples that imported libtox library, VT sandbox results are not useful as the libraries were not on the sandbox when sample ran.
Sample 1 - "vivian":
To find samples, I looked at some of the Tox nodes on VirusTotal and looked at associated files that were marked as malicious.
One of the samples I found is 783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2. (https://www.virustotal.com/gui/file/783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2)
This file runs and drops another file and creates a service. The exe file that this sample drops seems to be the one that interacts with Tox.
The behavior is documented on VT but also here: https://vms.drweb.com/virus/?i=24040707
The second sample I came across is 648ace599bcdea491322f08616d4be9b6949f1860282b60bd0e78b64d6c4507e (https://www.virustotal.com/gui/file/648ace599bcdea491322f08616d4be9b6949f1860282b60bd0e78b64d6c4507e) and while researching the first sample, I realized that they're similar.
While running 783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2 in Triage (https://tria.ge/240920-y3p37swclc/behavioral1) I noticed that it dropped a file that's pretty much same size as the sample above.
The drive.exe dropped is 83085d79329b4951cbefdc8bf9d6b4d04accf33c25a547511efeeab4cfe3d9f2, which I uploaded here: https://www.virustotal.com/gui/file/83085d79329b4951cbefdc8bf9d6b4d04accf33c25a547511efeeab4cfe3d9f2
Both 362KB are pretty much similar and mutexlunastring mutex is seen being used:
I started researching the mutex string and was not able to find any writeups mentioning it.
At this point, I started doing just basic static analysis.
Quick strings review shows that you'd seen these kinds of commands in a backdoor/bot. There are some references to Tox in the binary but dynamic analysis also shows connections to Tox nodes.
Based on the strings, I wrote a yara rule and looked at Hybrid Analysis for more samples.
I found another sample, which was easier to analyze. It's dd2abd48e408d08f52300907a4a29783472bcdfc8e5b2954d3192dd717beeb40. https://www.virustotal.com/gui/file/dd2abd48e408d08f52300907a4a29783472bcdfc8e5b2954d3192dd717beeb40
Screenshot below shows some of the available commands:
lpStartAddress refers to the place where code for that specific command is. This for example is for sysinfo: