Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

10/2/2019
06:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Masad Stealer Uses Telegram to Send Its Control Messages to Waiting Bots

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information.

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram for a Command and Control (C&C) channel gives the malware some anonymity. Telegram is a legitimate messaging application that boasts of 200 million monthly active users.

Jupiter says the malware is being advertised on black market forums as "Masad Clipper and Stealer." It starts with a free version and goes up to versions asking up to $85, with each tier of the malware offering different features.

Jupiter says that the malware steals browser data, which may then give up usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own, so it does outright stealing as part of its nefarious activities.

The malware is made up of Autoit scripts and then it is compiled into a Windows executable. Jupiter saw most samples were about 1.5 MiB in size. But Masad Stealer can be found in larger executables since it has been bundled into other software.

Once started up, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name have been defined in the binary. Examples might be names like amd64_usbhub3.inf.resources and ws2_32.exe, respectively. To gain persistence, Masad Stealer creates a scheduled task that will start itself every one minute.

It goes after certain information like cryptocurrency wallets, PC and system information, credit card browser data, browser passwords, desktop files, browser cookies, Steam files, AutoFill browser fields, Discord and Telegram data and FileZilla files.

\r\nIt zips all of these into a file and then using a hardcoded bot token (a way to communicate with the Command and Control bot) it will send this zip file using the sendDocument API.

\r\nThere is also a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. The malware searches for wallets containing Monero, Bitcoin Cash, Litecoin, Neo, Web Money, ADA, ZCASH, DogeCoin, Stratis, QIWI Pay, Bicond, Waves, Reddcoin, Qtum, Payeer, Bytecoin, Bitcoin, Black Coin, VIA, Steam Trade Link, Bitcoin Gold, Emercoin, Lisk, Ethereum, Dash, Ripple and Yandex Money.

Based on Jupiter's telemetry, Masad Stealer's main distribution vectors will disguise it as a legitimate tool or may bundle it into third party tools. It has tried to pass itself off as ProxySwitcher, CCleaner, Utilman, Netsh and Whoami.

Since it has been distributed on forums, there are many variants of this malware in the wild. Each variant family may be assumed to control its own bot.

There is at least one dedicated website, (masadproject[.]life), in existence that promotes the sale of Masad Stealer. Ironically, the developers have also created a Telegram group for their potential clients which may even offer tech support. At time of writing, Juniper says that this group has more than 300 members.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5641
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
CVE-2020-5674
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
CVE-2020-29002
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
CVE-2020-29003
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
CVE-2020-26890
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...