New Masad Stealer Malware Exfiltrates Crypto Wallets via Telegram

A new and actively distributed malware strain dubbed Masad Stealer steals files, browser information, and cryptocurrency wallet data from infected computers that get sent back to its masters using Telegram as a communication channel.

- Advertisement -

The Juniper Threat Labs team who found it discovered that the malware is in some way related to the Qulab Stealer (either as an upgraded version or as a direct predecessor), and that it is developed using Autoit scripts and then compiled as a Windows executable.

The malware is actively being advertised on hacking forums as a stealer and clipper, and it is being sold using a tier-based approach, starting with a free version and going up to a ‘fully-featured’ variant that comes with a price tag of $85.

Masad Stealer infection chain and distribution

“Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools,” found Juniper. “Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites.”

Victims can also get infected when installing various software and game cracks, cheats, and aimbots, which shows that the actors behind this malware don’t mind adopting very well known infection vectors that have proven to be highly effective.

Once it manages to infect a machine, Masad Stealer starts collecting a wide range of data from its victims, including but not limited to system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, browser cookies, usernames, passwords, and credit card information.

Stolen information

The malware also comes with the capability of automatically replacing Monero, Bitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with ones provided by its operators.

- Advertisement -

“If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary,” found Juniper.

The malware will also create a scheduled task on all Windows devices it manages to compromise that will allow it to restart itself every minute if the victims discover and kill its process.

Used in active campaigns

All the harvested information gets zipped using a 7zip executable bundled within Masad Stealer’s binary, with the archive being exfiltrated to the command and control (C2) server using unique Telegram bot IDs.

- Advertisement -

Based on the number of unique Telegram bot IDs and usernames, the Juniper Threat Labs team found that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

Out of all the Masad Stealer samples spotted until now, some of them can also drop other malware strains in the form of executables with modified headers, including cryptominers and other info stealers as Juniper further discovered.

Dropping additional malware via TLS stream

“Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat. Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market,” concludes Juniper.

A list of indicators of compromise (IOCs) with malware sample hashes and domains used to distribute additional malware are available at the end of Juniper’s Masad Stealer report.

Source

Previous Articles:

- Advertisement -

Latest

Michael Saylor Invites Joe Rogan to Discuss Bitcoin on Podcast

Michael Saylor has shown interest in discussing Bitcoin on The Joe Rogan Experience podcast.The idea has generated excitement in the Bitcoin community, with some...

Congress Debates Stablecoin Bill Amid Rising Bank and Crypto Tensions

U.S. lawmakers are moving forward with the Senate Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, with debates set to resume after...

American Engineer Drugged, Robbed in Sophisticated London Crypto Heist

An American software engineer lost approximately $123,000 in cryptocurrency after being drugged and robbed in London.The victim was targeted by an impersonator posing as...

Max Keiser Doubts New Bitcoin Treasuries’ Discipline in Bear Market

Bitcoin-focused companies are increasingly copying the treasury strategy used by Michael Saylor's Strategy.Max Keiser raised doubts about whether these newer companies can maintain commitment...

South Korea Election Puts Crypto Policy at Center of Debate

Nearly one-third of South Koreans hold digital assets, making crypto a vital issue in the upcoming presidential election.Both major parties support crypto exchange-traded funds...

Must Read

What Are Anonymous Debit Cards And How Do They Work?

You've heard about anonymous debit cards, but what are they really? Anonymous Debit Cards are cards that let you make purchases without revealing your...