Telegram is under attack from an encrypted “chap application” that is being used by hackers to seize cryptocurrency from customers’ wallets.
This nasty new form of malware, dubbed Masad Stealer, can empty crypto wallets by stealing files, cryptocurrency wallet data, and browser information via the use of Telegram bot IDs (Telegram Command and Control (C2) bot). It can also modify recipient wallet addresses and use it to funnel funds into the Telegram accounts of the hackers without making its presence known. Furthermore, it only takes up 1.5 MB of space, which makes it harder to trace.
The malware has been found to target Android and Windows users mostly, but iOS customers are not hack-proof either, and it has been observed that at peak hours, Bitcoin, Ethereum, and Monero are the primary targets of this malware. It travels within Telegram to locate and filter the most valid information from users.
It was spread, cloaked (via the help of more legitimate forms of software, such as Proxy Switcher and) as popular applications that users are inclined to click-on, like hacks and cheat codes for games like Dota and Fortnite. Ads of many of its variants were also widely available on the Internet, web forums and file-sharing sites.
Apart from all this, perhaps the most significant threat is the way the Masad malware programs itself. It executes tasks on a ‘minute-by-minute basis’ via an assemblage of infected hosts. Therefore, regardless of what is happening on a targeted customer’s computer system, the malware continues to run in the background, increasing a customer’s chances of losing their crypto funds.
The chap application also comes with the capability of automatically replacing Litecoin, Monero, Bitcoin Cash, Neo, and Web Money cryptocurrency wallets from the clipboard, which was provided by its operators somewhere in the past.
Previously, the Juniper Threat Labs team had investigated this looming threat and found out that the malware was somehow related to the Qulab Stealer (either as an upgraded version or as a direct predecessor). The research also found that it was developed using Autoit scripts, and then compiled as a Windows executable.
Telegram had many ups-and-downs in the past few months. On one occasion, its initial coin offering (ICO) of the “Gram” (an official cryptocurrency which was offered through the ICO) went extremely well and earned them around nearly $2 billion in funds, but the crypto was developed secretly and caused multiple regulatory backlashes, leading to delays.
Then, its partnership with custody crypto firm Anchorage came as a piece of great news considering that Anchorage is a potential partner of Libra, but its bug problems are threatening the privacy of the user’s information and may prove harmful to the partnership.
Masad Stealer demonstrated its platter of sophisticated security threats that hackers frequently use to withdraw cryptocurrency from unsuspecting users. It is being sold on black market platforms for roughly $85. Bad actors are grouping on the Darknet to recycle previously released malware, update it and then send it back into the wild, and frequently finding success in their attempts. Additionally, hackers are opening Telegram accounts as a means to fool potential victims into joining and learning more about the software.