Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

10/2/2019
06:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Masad Stealer Uses Telegram to Send Its Control Messages to Waiting Bots

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information.

Juniper Threat Labs has discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram for a Command and Control (C&C) channel gives the malware some anonymity. Telegram is a legitimate messaging application that boasts of 200 million monthly active users.

Jupiter says the malware is being advertised on black market forums as "Masad Clipper and Stealer." It starts with a free version and goes up to versions asking up to $85, with each tier of the malware offering different features.

Jupiter says that the malware steals browser data, which may then give up usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own, so it does outright stealing as part of its nefarious activities.

The malware is made up of Autoit scripts and then it is compiled into a Windows executable. Jupiter saw most samples were about 1.5 MiB in size. But Masad Stealer can be found in larger executables since it has been bundled into other software.

Once started up, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name have been defined in the binary. Examples might be names like amd64_usbhub3.inf.resources and ws2_32.exe, respectively. To gain persistence, Masad Stealer creates a scheduled task that will start itself every one minute.

It goes after certain information like cryptocurrency wallets, PC and system information, credit card browser data, browser passwords, desktop files, browser cookies, Steam files, AutoFill browser fields, Discord and Telegram data and FileZilla files.

\r\nIt zips all of these into a file and then using a hardcoded bot token (a way to communicate with the Command and Control bot) it will send this zip file using the sendDocument API.

\r\nThere is also a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. The malware searches for wallets containing Monero, Bitcoin Cash, Litecoin, Neo, Web Money, ADA, ZCASH, DogeCoin, Stratis, QIWI Pay, Bicond, Waves, Reddcoin, Qtum, Payeer, Bytecoin, Bitcoin, Black Coin, VIA, Steam Trade Link, Bitcoin Gold, Emercoin, Lisk, Ethereum, Dash, Ripple and Yandex Money.

Based on Jupiter's telemetry, Masad Stealer's main distribution vectors will disguise it as a legitimate tool or may bundle it into third party tools. It has tried to pass itself off as ProxySwitcher, CCleaner, Utilman, Netsh and Whoami.

Since it has been distributed on forums, there are many variants of this malware in the wild. Each variant family may be assumed to control its own bot.

There is at least one dedicated website, (masadproject[.]life), in existence that promotes the sale of Masad Stealer. Ironically, the developers have also created a Telegram group for their potential clients which may even offer tech support. At time of writing, Juniper says that this group has more than 300 members.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...