Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

10/2/2019
06:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Masad Stealer Uses Telegram to Send Its Control Messages to Waiting Bots

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information.

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram for a Command and Control (C&C) channel gives the malware some anonymity. Telegram is a legitimate messaging application that boasts of 200 million monthly active users.

Jupiter says the malware is being advertised on black market forums as "Masad Clipper and Stealer." It starts with a free version and goes up to versions asking up to $85, with each tier of the malware offering different features.

Jupiter says that the malware steals browser data, which may then give up usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own, so it does outright stealing as part of its nefarious activities.

The malware is made up of Autoit scripts and then it is compiled into a Windows executable. Jupiter saw most samples were about 1.5 MiB in size. But Masad Stealer can be found in larger executables since it has been bundled into other software.

Once started up, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name have been defined in the binary. Examples might be names like amd64_usbhub3.inf.resources and ws2_32.exe, respectively. To gain persistence, Masad Stealer creates a scheduled task that will start itself every one minute.

It goes after certain information like cryptocurrency wallets, PC and system information, credit card browser data, browser passwords, desktop files, browser cookies, Steam files, AutoFill browser fields, Discord and Telegram data and FileZilla files.

\r\nIt zips all of these into a file and then using a hardcoded bot token (a way to communicate with the Command and Control bot) it will send this zip file using the sendDocument API.

\r\nThere is also a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. The malware searches for wallets containing Monero, Bitcoin Cash, Litecoin, Neo, Web Money, ADA, ZCASH, DogeCoin, Stratis, QIWI Pay, Bicond, Waves, Reddcoin, Qtum, Payeer, Bytecoin, Bitcoin, Black Coin, VIA, Steam Trade Link, Bitcoin Gold, Emercoin, Lisk, Ethereum, Dash, Ripple and Yandex Money.

Based on Jupiter's telemetry, Masad Stealer's main distribution vectors will disguise it as a legitimate tool or may bundle it into third party tools. It has tried to pass itself off as ProxySwitcher, CCleaner, Utilman, Netsh and Whoami.

Since it has been distributed on forums, there are many variants of this malware in the wild. Each variant family may be assumed to control its own bot.

There is at least one dedicated website, (masadproject[.]life), in existence that promotes the sale of Masad Stealer. Ironically, the developers have also created a Telegram group for their potential clients which may even offer tech support. At time of writing, Juniper says that this group has more than 300 members.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...