A New Spyware Using Telegram for Exfiltration Hits the Black Market
A recent discovery by researchers at Juniper Threat Labs has unveiled a new piece of spyware that is up for sale on the black market. This spyware, known as Masad Stealer and Clipper, is delivered via a Trojan and utilizes the popular messaging app Telegram for command and control (CnC) operations, adding a layer of anonymity to its malicious activities.
Uncommon Use of Telegram for Malware Exfiltration
According to Mounir Hahad, head of Juniper Threat Labs, the use of Telegram for exfiltration purposes is not a common practice among malware. Most malware strains typically hide exfiltrated data in secure web communications like https. However, Masad Stealer stands out by leveraging the Telegram infrastructure to communicate with threat actors through controlled Telegram bots.
It’s important to note that regular Telegram users are not at risk of being affected by Masad Stealer, as the spyware does not compromise their accounts. Instead, it uses Telegram as a communication channel to send collected data and receive commands from threat actors.
Capabilities of Masad Stealer
Upon infecting a system, Masad Stealer goes to work collecting a variety of sensitive information stored on the device. This includes browser passwords, autofill data, desktop files, and even cryptocurrency wallets, which it replaces with its own. Additionally, the spyware targets credit card information, FileZilla files, browser cookies, system information, and installed software and processes.
Researchers at Juniper highlighted that Masad Stealer communicates with a Telegram bot controlled by the threat actor, allowing for seamless data exfiltration and remote commands execution. As the spyware is commercially available on various hacking forums, it poses an ongoing threat to users.
Availability and Pricing
Interested buyers can purchase different versions of Masad Stealer, ranging from a free basic package to a premium option priced at $85, each offering distinct features to cater to various needs. Despite being advertised for sale, the spyware’s technique could be adopted by more sophisticated threat actors to develop their own malware.
Masad Stealer is crafted using Autoit scripts and compiled into executable Windows files, with most samples discovered by Juniper averaging 1.5 MiB in size. While primarily distributed as standalone executables, the spyware has also been found bundled with other software.
Telegram’s Role and Security Measures
As a messaging platform boasting over 200 million monthly active users, Telegram has positioned itself as a secure alternative to popular messengers like WhatsApp and Line. The app offers end-to-end encryption and has even launched a challenge with a prize of up to $300,000 for anyone who can crack a Telegram message.
In conclusion, the emergence of Masad Stealer underscores the evolving landscape of cyber threats, emphasizing the importance of staying vigilant and adopting robust security measures to safeguard against sophisticated malware attacks.