New Spyware Uses Telegram to Communicate with Threat Actors

Written by

A new piece of spyware, that uses the app Telegram for exfiltration, is for sale on the black market.  

Trojan-delivered Masad Stealer and Clipper was clocked by researchers at Juniper Threat Labs. The spyware uses Telegram as a command and control (CnC) channel to cloak itself in a veil of anonymity. 

Mounir Hahad, head of Juniper Threat Labs told Infosecurity Magazine: "This kind of malware that uses Telegram for exfiltration is not common at all. Most malware would try to hide exfiltrated data in secured web communication like https."

He went on to say that Telegram users would not be affected by Masad Stealer. 

"This will not use people’s Telegram account. It just uses the Telegram infrastructure to communicate with threat actors controlled Telegram bots," said Hahad.

After installing itself on a computer, Masad Stealer busies itself collecting information stored on the system, such as browser passwords, autofill browser field data, and desktop files. The spyware also automatically replaces cryptocurrency wallets from the clipboard with its own.

Other information vulnerable to an attack perpetrated through Masad Stealer includes credit card browser data, FileZilla files, steam files, browser cookies, PC and system information, and installed software and processes. 

Researchers at Juniper said: "Masad Stealer sends all of the information it collects – and receives commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers."

Masad Stealer is being advertised for sale in several hack forums, making it an active and ongoing threat. Buyers can pick up a variety of versions, ranging from a free one to a premium package costing $85, with each tier of the malware offering different features.

Hahad said: "This malware is offered for sale, so I suspect they will have a handful of clients. But more importantly, the technique is available to more sophisticated and better funded groups who will develop their own malware using this technique."

Masad Stealer is written using Autoit scripts and then compiled into an executable Windows file. Most of the samples discovered by Juniper were 1.5 MiB in size; however, the spyware has also been strutting around in larger executables and has been spotted bundled into other software.

Telegram, which celebrated its sixth birthday in August, has over 200 million monthly active users.  The app claims on its website to be "more secure than mass market messengers like WhatsApp and Line" and offers anyone who can decipher a Telegram message up to $300,000 in prize money. 

What’s hot on Infosecurity Magazine?