Masad Spyware Uses Telegram Bots for Command-and-Control

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” is using Telegram bots as its command-and-control (C2) hub. Masad harvests information from Windows and Android users and also comes with a full cadre of other malicious capabilities, including the ability to steal cryptocurrency from victims’ wallets.

According to an analysis from Juniper Threat Labs on Friday, one of the most interesting things about Masad (which the researchers think is descended from the known “Qulab Stealer” malware) is that it sends the data it collects from victims to a Telegram bot that acts as its C2 server — that’s a twist in the world of C2 mechanisms, according to researchers.

To connect to the C2 bot, Masad first sends a getMe message using a hardcoded bot token to confirm that the bot is still active, according to the analysis. Then, after harvesting a range of data and compiling it into a ZIP folder (using the 7zip utility, which is bundled into the malware binary), it sends the folder along using the sendDocument API.

“Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware,” Juniper researchers said in their analysis. “This is an important consideration because of the off-the-shelf nature of this malware – multiple parties will be operating Masad Stealer instances for different purposes.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top