A new malware has recently been detected by the Amerian Internet infrastructure firm, Juniper Networks and according to the company’s report it is actively targeting users of the messaging app, Telegram.
Researchers at the Juniper Threat Labs, a threat intelligence portal at Juniper Networks, clocked a new Trojan-delivered malware that is using Telegram as its command and control channel. The malicious vector cloaks itself to extract sensitive information from the users of the messaging app.
Dubbed as the ‘Masad Clipper and Stealer’ across black market forums, the malware taps into its targeted system’s browser history, which often contains personal information such as usernames, passwords and in some case, even credit card information, and steals the sensitive information.
What makes this malware particularly dangerous is its target, Telegram. The messaging app has about 200 million monthly active users, to whom the malware could gain access. So, in a nutshell, it’s a buffet of juicy targets for the Masad Clipper and Stealer.
The research report explained the malware’s intricate stealing routine, which revealed that after installing itself on the targeted system, the malware busies itself and starts by collecting the sensitive information available. The targeted info may include PC and system information, browser passwords, desktop files and credit card browser data.
Other information vulnerable to Masad’s attack includes FileZilla files, steam files, browser cookies, installed software and processes, desktop files, screenshots of desktop, Discord and Telegram data. After accessing the aforementioned information, the malware then zips it into a file via the 7zip utility that is already bundled into its binary.
The zipped file is then sent using the sendDocument API via a hardcoded bot token, which in simple words, is a way to communicate with the Command and Control bot. This communication is necessary for the malware as Masad verifies and confirms the activeness of the bot by first sending a message using again, the bot token. The report added:
Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs.
Masad doesn’t leave cryptocurrency wallets behind as it automatically replaces cryptocurrency wallets from the clipboard with its own. Juniper Threat Labs report also explored the malware’s clipping routine, according to which Masad contains a function that replaces wallets on the clipboard, the instance it matches a specific configuration.
It went on to explain that if the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary.
What’s even more alarming for the crypto community in particular is that the malware also has the ability to automatically replace various crypto assets including but not limited to, Monero (XMR), Bitcoin Cash (BCH), Litecoin (LTC), Ethereum (ETH), Ripple (XRP). Moreover, the report claims:
Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools.
Threat actors achieve their targeted end-user by offering downloads on advertising forums and on third-party download sites or on file-sharing sites. Additionally, people who install various software and game cracks, cheats, and aimbots are also likely to fall victim to Masad’s malicious activities.
According to the report, Masad is advertised openly on several hack forums in addition to black-market forums. It starts with a free version and advances to versions demanding up to $85, with each tier of the malware offering different features.
It is evident that Masad is a rather complex piece of malware as it operates in an extremely systematic way while managing to stay hidden from the unsuspecting target. Juniper Threat Lab’s report concluded that it is an active and ongoing threat, which means that the Command and Control bots are still alive and responding.
For the organizations looking to protect themselves from this malicious threat, the report suggests installing a next-generation firewall (NGFW) with Advanced Threat Protection. In addition to that, the Juniper Network also offered its very own fix, Juniper Sky ATP, in combination with their RX firewall that offers both remediation and prevention capabilities.
This threat comes at the heels of Telegram’s launch of the Gram wallet. The messaging app revealed a wallet for its network’s native token, Gram (GRM), which is now active on the alpha version of Telegram on iOS. However, the Masad malware could put a damper on things for Telegram, unless it is stopped with a proper solution.