silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,048
- Content source
- https://threatpost.com/masad-spyware-telegram-bots/148759/
A freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” is using Telegram bots as its command-and-control (C2) hub. Masad harvests information from Windows and Android users and also comes with a full cadre of other malicious capabilities, including the ability to steal cryptocurrency from victims’ wallets.
According to an analysis from Juniper Threat Labs on Friday, one of the most interesting things about Masad (which the researchers think is descended from the known “Qulab Stealer” malware) is that it sends the data it collects from victims to a Telegram bot that acts as its C2 server — that’s a twist in the world of C2 mechanisms, according to researchers.
To connect to the C2 bot, Masad first sends a getMe message using a hardcoded bot token to confirm that the bot is still active, according to the analysis. Then, after harvesting a range of data and compiling it into a ZIP folder (using the 7zip utility, which is bundled into the malware binary), it sends the folder along using the sendDocument API.
“Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware,” Juniper researchers said in their analysis. “This is an important consideration because of the off-the-shelf nature of this malware – multiple parties will be operating Masad Stealer instances for different purposes.”
Masad Spyware Uses Telegram Bots for Command-and-Control
The malware harvests data, steals cryptocurrency and drops additional malware, while masquerading as a Fortnite aimbot and more.
threatpost.com