Jupiter Threat Labs recently released a report about a newly discovered commercial spyware called “Masad Clipper and Stealer.” It uses Telegram bots as its command and control (C2) to phish information from Windows and Android users, along with the capability to steal cryptocurrency from unsuspecting victims, while dumping more malware on their devices.
The report discussed various interesting features of the newly discovered malware, however, the main feature that caught the attention of researchers was its ability to send phished data from victims to Telegram bots and then use it as a command hub. They believed this is a twist to the known mechanism of C2 world.
How does malware work?
Masad first sends a Getme to confirm that the bot is still active, and then the malware puts all the poised data of the victims in a zip folder and sends it to the hot. The analyst explained,
“Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware. This is an important consideration because of the off-the-shelf nature of this malware – multiple parties will be operating Masad Stealer instances for different purposes.”
The researchers noted that there are more than 1000 variants of Masad and 338 unique Telegram C2 bots currently operating in the market. The researcher added further:
“From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations,”
The research further found out that the malware has the ability to replace crypto wallets from the capability with their own. The researchers explained,
“This malware includes a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary.”
The malware steals a number of cryptocurrency including Bitcoin, DogeCoin, Ethereum, Litecoin, Monero, Neo and several others.