Malwarebytes Telegram

broken image


  1. Malwarebytes Telegram Review
  2. Malwarebytes Telegram Free
  3. Malwarebytes Key Telegram

The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications.

Researchers have named the malware HackBoss and say that its operators likely stole more than $500,000 from wannabe hackers that fell for the trick.

Telegram is a popular and legitimate instant messaging service that provides end-to-end encryption. A number of cybercriminals abuse it for their daily communications but also for automated tasks found in malware. Attackers have used Telegram to exfiltrate data before, for example via traditional Trojan horses, such as the Masad stealer. The second Google result, an advertisement, led him straight to malware disguised as the desktop version of Telegram for Windows. It was convincing enough at first glance that Kirschner says he. Cybercriminals Using Telegram Messenger to Control ToxicEye Malware Adversaries are increasingly abusing Telegram as a 'command-and-control' system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. 'Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations.

Fake user interface

Malwarebytes

Although there is nothing sophisticated about HackBoss, the scheme proves to be effective as it tempts victims with the prospect of getting hacking tools, mostly for brute-forcing passwords for banking, dating, and social media accounts.

Researchers at Avast analyzing HackBoss note that the malware is packed in a .ZIP file with an executable that launches a simple user interface.

Regardless of the options available, the UI's single purpose is to add the decrypt and execute the cryptocurrency-stealing malware on the victim's system.

This occurs when clicking any button in the fake interface. The action can also give HackBoss persistence on the system by setting up a registry key to run it at startup or by adding a scheduled task that runs the payload every minute.

'The malicious payload keeps running on the victim's computer even after the application's UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute' - Avast

As for the functionality, there's no complexity to it. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker.

When the victim initiates a cryptocurrency payment and copies the recipient's wallet, HackBoss quickly replaces it, taking advantage of the fact that few users check the string before hitting the pay button.

Easy money

Despite the simple functions, maintaining the cover of a hacking tool distributor requires some effort as each post comes with a bogus description to make it a believable offer.

But the endeavor appears to be profitable. Avast researchers say in a blog post today that they found over 100 cryptocurrency wallet addresses associated with the HackBoss operation that received more than $560,000 since November 2018.

Not all the funds came from the cryptocurrency-stealing malware though as there some of the addresses have been reported in scams that tricked victims into buying fake software.

Data from the Telemetrio service for Telegram and chat statistics shows that the Hack Boss channel has about nine posts per month, each with more than 1,300 views and that it grew to more than 2,800 subscribers.

Avast researchers say that HackBoss authors also promote their fake hacking tools outside the Telegram channel, although this remains the main distribution path.

One avenue is a blog (cranhan.blogspot[.]com) that advertises fake tools, provides promo videos, and also posts ads on public forums and discussions.

Avast provides a lengthy list of indicators of compromise on its GitHub page with hashes and names of the fake applications disguising HackBoss malware and the cryptocurrency wallet addresses (Bitcoin, Ethereum, Litecoin, Monero, Dogecoin) associated with the actor.

Malwarebytes Telegram Review

Related Articles:

Telegram

Although there is nothing sophisticated about HackBoss, the scheme proves to be effective as it tempts victims with the prospect of getting hacking tools, mostly for brute-forcing passwords for banking, dating, and social media accounts.

Researchers at Avast analyzing HackBoss note that the malware is packed in a .ZIP file with an executable that launches a simple user interface.

Regardless of the options available, the UI's single purpose is to add the decrypt and execute the cryptocurrency-stealing malware on the victim's system.

This occurs when clicking any button in the fake interface. The action can also give HackBoss persistence on the system by setting up a registry key to run it at startup or by adding a scheduled task that runs the payload every minute.

'The malicious payload keeps running on the victim's computer even after the application's UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute' - Avast

As for the functionality, there's no complexity to it. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker.

When the victim initiates a cryptocurrency payment and copies the recipient's wallet, HackBoss quickly replaces it, taking advantage of the fact that few users check the string before hitting the pay button.

Easy money

Despite the simple functions, maintaining the cover of a hacking tool distributor requires some effort as each post comes with a bogus description to make it a believable offer.

But the endeavor appears to be profitable. Avast researchers say in a blog post today that they found over 100 cryptocurrency wallet addresses associated with the HackBoss operation that received more than $560,000 since November 2018.

Not all the funds came from the cryptocurrency-stealing malware though as there some of the addresses have been reported in scams that tricked victims into buying fake software.

Data from the Telemetrio service for Telegram and chat statistics shows that the Hack Boss channel has about nine posts per month, each with more than 1,300 views and that it grew to more than 2,800 subscribers.

Avast researchers say that HackBoss authors also promote their fake hacking tools outside the Telegram channel, although this remains the main distribution path.

One avenue is a blog (cranhan.blogspot[.]com) that advertises fake tools, provides promo videos, and also posts ads on public forums and discussions.

Avast provides a lengthy list of indicators of compromise on its GitHub page with hashes and names of the fake applications disguising HackBoss malware and the cryptocurrency wallet addresses (Bitcoin, Ethereum, Litecoin, Monero, Dogecoin) associated with the actor.

Malwarebytes Telegram Review

Related Articles:

[German]Security experts from Check Point Research warn of new campaign that threatens millions of users. The attackers can install contaminated files on computers via Telegram and then control these programs remotely. Here is some information I received directly from Check Point.

Advertising

Malwarebytes Telegram Free

Check Point Research (CPR) has come across cyber criminals who are abusing the Telegram messaging service as a remote malware distribution center. The hackers hide the malware behind email attachments to infect computers. The finding was preceded by CPR observing more than 130 cyber attacks from a remote access Trojan (RAT) called ToxicEye within the last three months, coordinated by the actors through Telegram. Telegram has over 500 million active users worldwide and is one of the top ten most downloaded apps in the world.

Sophisticated attack path

The attack path looks like the hackers create a Telegram account and set up a special Telegram bot. This is a remote account that users can interact with via Telegram chat, or via groups, or via the input field when they enter the bot's name and request.


Telegram hack, source: Check Point

In a second step, the bot's login token is combined with malware. In a third step, the cyber criminals spread the malware will as an attachment via a spam email. One example found was called paypal checker by saint.exe.

If the victim opens the malicious attachment, it then connects to Telegram. From now on, anyone whose computer has been contaminated by the malware can be attacked by the hackers' Telegram bot – regardless of whether Telegram is installed at all. The malware simply connects the user's device to the attackers' command-and-control server via Telegram. If the hacker has control over the device, he can perform various malicious activities. The impact of a successful attack is manifold. Observed were:

Advertising
  • File System Control (deleting or transferring files; stopping processes; taking over the Task Manager).
  • Data leakage (theft of images, videos, passwords, system information, browser history and cookies).
  • Ransomware (encryption of data).
  • I/O-hijacking (installing a keylogger that reads input; secretly recording sound and images via the device's microphone and camera; cracking the clipboard).

Security researchers believe that Telegram is currently under increased attack because it has seen a large increase in users – including as an enterprise application. Dozens of new malware against Telegram, which can be purchased ready to use, are ready in Github stores. Some circumstances are in favor of the hackers:

  • Telegram is not blocked by enterprise security solutions because it is a real, secure and stable application, which is also easy to use and frequently used there.
  • Telegram preserves the anonymity of users, and thus of the attackers behind the infected accounts, because registration requires only a phone number.
  • The technical way of communicating via Telegram allows the attackers to easily steal data from a computer or transfer infected data to the device.
  • Attackers can use their cell phones to dial infected computers anywhere in the world via Telegram.

Malwarebytes Key Telegram

Christine Schönig, Regional Director Security Engineering CER, Office of the CTO, at Check Point Software Technologies GmbH, summarizes the research, 'We discovered that malware authors are using the Telegram platform as a ready-to-use command-and-control system for malware distribution in enterprises. This allows the malware used to receive its commands for operations from the attackers remotely via Telegram – even when Telegram is not installed or used on the computer. The malware the hackers use can be found in easily accessible places like the open-source platform Github. We are convinced the attackers are taking advantage of the fact that Telegram is used in almost all organizations and therefore bypasses security restrictions. For this reason, we strongly advise all users to be aware of the existence of malicious emails and to be suspicious of those that embed their username in the subject, or are written with broken language. Now that we know that Telegram can be used to distribute contaminated files or as a command and control center for remote malware, we expect to see more malware designed specifically for this purpose.'

Helpful tips against the attack are:

  • Look for a file named: C:UsersToxicEyerat.exe. If this is present, the computer has been infected and IT should be notified immediately to delete the file.
  • Network traffic needs to be monitored to see if any transfers are taking place from computers in the company to a Telegram command-and-control server. If this takes place and Telegram is not officially used as an application in the company, this is a clear indication.
  • Watch out for email attachments that contain usernames or messages that have them in the subject line.
  • Beware if recipient or sender names of an email are missing or unrecognizable.
  • Watch out if the email is written in broken language, meaning it contains many misspellings.
  • Companies can deploy an automated security solution against phishing anyway, which helps employees defend against it and is based on artificial intelligence. This can stand guard within the entire corporate communications.

For more information, read this article.

Cookies helps to fund this blog: Cookie settings
Advertising




broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save