Juniper Networks have discovered a new malware, which can replace wallet addresses, that uses the Telegram app, the internet infrastructure firm published in its threat research on 26 September.
The new spyware, called “Masad Clipper and Stealer”, is not only able to steal browsing data such as usernames, passwords and credit card information, but can also replace cryptocurrency addresses from the clipboard.
According to the research, the clipping option of the spyware currently supports a number of cryptocurrencies, such as Bitcoin (BTC), Ethereum (ETH), Ripple (XRP), Bitcoin Cash (BCH), Litecoin (LTC), and others. Juniper Networks warned that:
“Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools. Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites.”
The program uses Telegram as a Command and Control (CnC) channel, which according to Juniper “allows the malware some anonymity”. The stolen data is sent to a Telegram bot, controlled by the threat actor, which also sends commands to the malware. It was also discovered that the malware is written with Autoit scripts, and then compiled into a Windows executable.
The security portal also said that the malware allegedly costs $40 on the dark web, which makes it affordable for a large number of threat actors. Juniper Networks also warned that at the time of publishing their findings the CnC bots were still live, which makes the malware an active and ongoing threat.