New Masad Stealer Malware Exfiltrates Crypto Wallets via Telegram

A new and actively distributed malware strain dubbed Masad Stealer steals files, browser information, and cryptocurrency wallet data from infected computers that get sent back to its masters using Telegram as a communication channel.

The Juniper Threat Labs team who found it discovered that the malware is in some way related to the Qulab Stealer (either as an upgraded version or as a direct predecessor), and that it is developed using Autoit scripts and then compiled as a Windows executable.

The malware is actively being advertised on hacking forums as a stealer and clipper, and it is being sold using a tier-based approach, starting with a free version and going up to a ‘fully-featured’ variant that comes with a price tag of $85.

Masad Stealer infection chain and distribution

“Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools,” found Juniper. “Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites.”

Victims can also get infected when installing various software and game cracks, cheats, and aimbots, which shows that the actors behind this malware don’t mind adopting very well known infection vectors that have proven to be highly effective.

Once it manages to infect a machine, Masad Stealer starts collecting a wide range of data from its victims, including but not limited to system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, browser cookies, usernames, passwords, and credit card information.

Stolen information

The malware also comes with the capability of automatically replacing Monero, Bitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with ones provided by its operators.

“If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary,” found Juniper.

The malware will also create a scheduled task on all Windows devices it manages to compromise that will allow it to restart itself every minute if the victims discover and kill its process.

Used in active campaigns

All the harvested information gets zipped using a 7zip executable bundled within Masad Stealer’s binary, with the archive being exfiltrated to the command and control (C2) server using unique Telegram bot IDs.

Based on the number of unique Telegram bot IDs and usernames, the Juniper Threat Labs team found that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

Out of all the Masad Stealer samples spotted until now, some of them can also drop other malware strains in the form of executables with modified headers, including cryptominers and other info stealers as Juniper further discovered.

Dropping additional malware via TLS stream

“Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat. Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market,” concludes Juniper.

A list of indicators of compromise (IOCs) with malware sample hashes and domains used to distribute additional malware are available at the end of Juniper’s Masad Stealer report.