Pierluigi Paganini September 29, 2019

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

“Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces Monero, Bitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.

Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.

Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]