A freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” is using Telegram bots as its command-and-control (C2) hub. Masad harvests information from Windows and Android users and also comes with a full cadre of other malicious capabilities, including the ability to steal cryptocurrency from victims’ wallets.
According to an analysis from Juniper Threat Labs on Friday, one of the most interesting things about Masad (which the researchers think is descended from the known “Qulab Stealer” malware) is that it sends the data it collects from victims to a Telegram bot that acts as its C2 server — that’s a twist in the world of C2 mechanisms, according to researchers.
To connect to the C2 bot, Masad first sends a getMe message using a hardcoded bot token to confirm that the bot is still active, according to the analysis. Then, after harvesting a range of data and compiling it into a ZIP folder (using the 7zip utility, which is bundled into the malware binary), it sends the folder along using the sendDocument API.
“Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware,” Juniper researchers said in their analysis. “This is an important consideration because of the off-the-shelf nature of this malware – multiple parties will be operating Masad Stealer instances for different purposes.”
In fact, of the more than 1,000 samples Juniper identified operating in the wild as variants of Masad, there were 338 unique Telegram C2 bots.
“From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations,” the researchers said. They added that the developers have also created a Telegram group for their potential clients, and for tech support; it so far has more than 300 members.
The stolen information can include browser form data with usernames and passwords for various sites, along with contact information and credit-card data; PC and system information; a list of installed software and processes; desktop files; screenshots; browser cookies; Steam gaming platform files; Discord and Telegram messages; and FileZilla files.
It also automatically replaces cryptocurrency wallets from the clipboard with its own; and has the capability of downloading other malware (the Juniper team observed some variants delivering cryptominers to victims).
“This malware includes a function that replaces wallets on the clipboard, as soon as it matches a particular configuration,” the researchers explained. “If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary.”
It looks for a wide variety of cryptocurrencies, including Bitcoin, DogeCoin, Ethereum, Litecoin, Monero, Neo and a raft of others.
Distribution
Juniper found that Masad’s main propagation mechanism lies in masquerading as a legitimate tool, or bundling itself into a third-party tool. It’s been seen mimicking software utilities like ProxySwitcher, CCleaner, Utilman, Netsh and Whoami; and, interestingly, it also mimics an existing malware called Proxo Bootstrapper.
Further, it tries to pass itself off as a gaming hack for Fortnite (Fortniteaimbot 2019.exe) – which is a tactic also recently seen being used by the Syrk ransomware. And for the mobile user, it has also been seen purporting to be a software update for the Samsung Galaxy handset.
“Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites,” the researchers explained. “It starts with a free version and ladders up to versions asking up to $85, with each tier of the malware offering different features.”
They added that there is also at least one dedicated website (masadproject[.]life) out there as well.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.