Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

10/2/2019
06:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Masad Stealer Uses Telegram to Send Its Control Messages to Waiting Bots

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information.

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram for a Command and Control (C&C) channel gives the malware some anonymity. Telegram is a legitimate messaging application that boasts of 200 million monthly active users.

Jupiter says the malware is being advertised on black market forums as "Masad Clipper and Stealer." It starts with a free version and goes up to versions asking up to $85, with each tier of the malware offering different features.

Jupiter says that the malware steals browser data, which may then give up usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own, so it does outright stealing as part of its nefarious activities.

The malware is made up of Autoit scripts and then it is compiled into a Windows executable. Jupiter saw most samples were about 1.5 MiB in size. But Masad Stealer can be found in larger executables since it has been bundled into other software.

Once started up, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name have been defined in the binary. Examples might be names like amd64_usbhub3.inf.resources and ws2_32.exe, respectively. To gain persistence, Masad Stealer creates a scheduled task that will start itself every one minute.

It goes after certain information like cryptocurrency wallets, PC and system information, credit card browser data, browser passwords, desktop files, browser cookies, Steam files, AutoFill browser fields, Discord and Telegram data and FileZilla files.

\r\nIt zips all of these into a file and then using a hardcoded bot token (a way to communicate with the Command and Control bot) it will send this zip file using the sendDocument API.

\r\nThere is also a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. The malware searches for wallets containing Monero, Bitcoin Cash, Litecoin, Neo, Web Money, ADA, ZCASH, DogeCoin, Stratis, QIWI Pay, Bicond, Waves, Reddcoin, Qtum, Payeer, Bytecoin, Bitcoin, Black Coin, VIA, Steam Trade Link, Bitcoin Gold, Emercoin, Lisk, Ethereum, Dash, Ripple and Yandex Money.

Based on Jupiter's telemetry, Masad Stealer's main distribution vectors will disguise it as a legitimate tool or may bundle it into third party tools. It has tried to pass itself off as ProxySwitcher, CCleaner, Utilman, Netsh and Whoami.

Since it has been distributed on forums, there are many variants of this malware in the wild. Each variant family may be assumed to control its own bot.

There is at least one dedicated website, (masadproject[.]life), in existence that promotes the sale of Masad Stealer. Ironically, the developers have also created a Telegram group for their potential clients which may even offer tech support. At time of writing, Juniper says that this group has more than 300 members.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...