Juniper Threat Labs discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a Command and Control (C&C) channel allows the malware some anonymity, as Telegram is a legitimate messaging application with 200 million monthly active users.

The malware is being advertised on black market forums as “Masad Clipper and Stealer.” It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.

What it does

This malware is written using Autoit scripts and then compiled into a Windows executable. Most samples we have seen are about 1.5 MiB in size, however, Masad Stealer can be found in larger executables as it is sometimes bundled into other software.

When Masad Stealer is executed, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name are defined in the binary. Examples include amd64_usbhub3.inf.resources and ws2_32.exe, respectively. As a persistence mechanism, mMasad Stealer creates a scheduled task that will start itself every one minute.

Masad stealer using scheduled task as persistence mechanism

Stealing routine

After installing itself, Masad Stealer starts by collecting sensitive information from the system, such as:

Cryptocurrency Wallets

PC and system information

Credit Card Browser Data

Browser passwords

Installed software and processes

Desktop Files

Screenshot of Desktop

Browser cookies

Steam files

AutoFill browser fields

Discord and Telegram data

FileZilla files

It zips this information into a file using 7zip utility, which is bundled into the malware binary.

A screenshot of what this malware have exfiltrated on one test machine

The above screenshot is a view of what Masad Stealer tries to exfiltrate from a sandbox. But the data that it can exfiltrate can expand to the following list:

A list of information that this malware can steal

Using a hardcoded bot token, which is basically a way to communicate with the Command and Control bot, Masad Stealer sends this zip file using the sendDocument API.

A snip of sendDocument telegram bot API that this malware used to exfiltrate data

In order to communicate with the Command and Control bot, Masad Stealer first sends a getMe message using the bot token to be able to confirm that the bot is still active. Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware. This is an important consideration because of the off-the-shelf nature of this malware – multiple parties will be operating Masad Stealer instances for different purposes.

Initial request by the malware to the telegram bot to make sure it is active.

Where the bot’s token is “719604859:AAE3Pg_oJ8cPgTxKzDtysU-3Zpj6hsBxNqI”.

Clipping Routine

This malware includes a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. Below are the regular expressions and supported wallets that it matches against the clipboard data:

A list of wallet and corresponding regular expressions that it monitors on the clipboard

Below is a list of coins/wallet it tries to clip:

Monero Bitcoin Cash Litecoin Neo Web Money ADA ZCASH DogeCoin Stratis QIWI Pay Bicond Waves Reddcoin Qtum Payeer Bytecoin Bitcoin Black Coin VIA Steam Trade Link Bitcoin Gold Emercoin Lisk Ethereum Dash Ripple Yandex Money

If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary. Below are the bitcoin and monero wallets found in one of the samples:

Bitcoin: 1AtwyYF2TGR969cyRDrR2XFDqSPzwCXKfe

Monero: 42Mm9gjuUSmPNr7aF1ZbQC6dcTeSi1MgB1Tv41frv1ZRFWLn4wNoLH3LDAGn9Fg2dhJW2VRHTz8Fo9ZAit951D2pDY8ggCR

Below is a snapshot of the bitcoin wallet transaction, as of this writing. This wallet has already received around $9,000 USD equivalent of bitcoins (as of Sept 15, 2019), which may or may not come from the activity of this malware.

A sample fraudulent bitcoin wallet found on one of the sample

Attack Vector

Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools. Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites. Below are the currently known list of software that Masad Stealer has been seen mimicking:

ProxySwitcher (legitimate version here: https://www.proxyswitcher.com/)

CCleaner.exe (legitimate version here: https://ccleaner.com/)

Utilman.exe (legitimate version comes with Windows)

Netsh.exe (legitimate version comes with Windows)

Iobit v 1.7.exe (legitimate version here:https://www.iobit.com/)

Base Creator v1.3.1 [FULL CRACK].exe (there is no legitimate version)

EXEA HACK CRACKED (PUBG,CS GO,FORTNITE,GTA 5,DOTA).exe (there is no legitimate version)

Icacls.exe (legitimate version comes with Windows)

WSManHTTPConfig.exe (legitimate version comes with Windows)

RADMIR CHEAT MONEYY.exe (there is no legitimate version)

Tradebot_binance.exe (legitimate version here: https://tradesanta.com/en)

Whoami.exe (legitimate version comes with Windows)

Proxo Bootstrapper.exe (this is actually a reasonably popular form of malware)

Fortniteaimbot 2019.exe (there is no legitimate version)

Galaxy Software Update.exe (https://www.samsung.com/us/support/answer/ANS00077582/)

Download additional malware

Some samples of Masad Stealer have the capability to download additional malware. We have seen samples that download other malware, usually a miner, from these URLs:

https://masadsasad[.]moy.su/base.txt (miner)

https://zuuse[.]000webhostapp.com/mi.exe (miner)

http://37[.]230.210.84/still/Build.exe

http://37[.]230.210.84/still/SoranoMiner.exe

http://187[.]ip-54-36-162.eu/steal.exe

http://bgtyu73[.]ru/22/Build.exe

Masad stealer downloading a miner via HTTPS and with modified header

The figure above is a response from the request to https://masadsasad[.]moy.su/base.txt. This response contains an executable file with modified header. In addition to connecting via TLS, the modified header is an added trick by the malware to hide itself.

TLS streams are more difficult to inspect, helping to hide them from network-based security defenses. The modified header helps to hide the fact that the payload being downloaded is an executable from endpoint security products.

Threat Actors

This malware is being advertised in several hack forums as Masad Stealer. It starts with a free version and ladders up to versions asking up to $85, with each tier of the malware offering different features.

Sample Masad stealer ad found in hackforums

There is at least one dedicated website (masadproject[.]life) in existence to promote the sale of Masad Stealer. The developers have also created a Telegram group for their potential clients, and presumably to offer tech support. At time of writing, this group has more than 300 members.

Screenshot of a telegram group where one threat actor is operating

Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations. We used the getMe API, along with the bot token, to identify the usernames. Among the top bot IDs are as follows:

Telegram Bot ID Telegram Bot Username Unique Hashes bot610711208 potterk_bot 45 bot830353220 reaper228bot 24 bot661438794 RanisYolo19_bot 23 bot796671289 dfsklnjfmkdvehfsf454sdfbot 22 bot870978042 dawdvwabot 20 bot753197414 korote_bot 14 bot823037532 NA/Inactive 13 bot699800942 RcbBots_Bot 13 bot831297312 xAmytBot 13 bot883608782 bichpaket777_bot 12 bot656889928 notius_bot 12 bot813438470 idontknowubot 12 bot911603667 Masat_bot 11 bot963764792 NA/Inactive 11 bot930786995 reborntodes_bot 9 bot884837464 istrong_bot 9 bot646596033 SkyDen_bot 9 bot865594389 gnoy199519bot] 8

Previous versions of this malware (or possibly a direct ancestor) are called “Qulab Stealer”.

How does Juniper Networks protect you against this?

Juniper Advanced Threat Protection products JATP and Sky ATP use machine learning to be able to accurately identify malware. The following images show the Sky ATP detecting multiple variations of this malware.

Juniper Sky ATP’s detection of this malware family

The use of machine learning is critical to defending against this malware because of the number of rapid iterations it underwent throughout its development. Machine learning allows Juniper Connected Security to identify Masad Stealer variants as they emerge, helping to keep customers protected even before new strains have been identified.

Conclusion

Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat. Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market.

In order to protect your organization, make sure that you have a next generation firewall (NGFW) with Advanced Threat Protection. NGFWs have the ability to identify the Telegram protocol and block it, if there is no legitimate business use, while Advanced Threat Protection products offer other methods to detect and counteract this malware.

Juniper Sky ATP, in conjunction with our SRX firewall will block any client infected with Masad Stealer from reaching out to the Command and Control bot master. It will also block the download of the Masad Stealer malware files in the first place, offering both remediation and prevention capabilities.

Indicators of Compromise

Sha256

e968affb1fc7756deb0e29807a06681d09a0425990be76b31816795875469e3d

4b1ccf6b823ee82e400ba25b1f532cd369d7e536475a470e2011b77ffeaf7bb3

fc84d6636a34ad1a11dbaa1daec179e426bdcd9887b3d26dc06b202417c08f95

9ca15f15fbae58cb97b0d48a0248461e78e34e6d530338e3e5b91f209a166267

31f3a402c1662ed6adffbf2b1b65cf902d1df763698eb76d21e4e94b4c629714

8d9f124ddd69c257189f1e814bb9e3731c00926fc2371e6ebe2654f3950ca02e

a0923d7645604faaa864a079adeb741a5d6e65507a2819b2fee4835d396077d9

a19b790ea12f785256510dde367d3313b5267536a58ca0c27dbdac7c693f57e1

f030fb4e859ee6a97c50c973a73dced3640befe37f579cfd15367ce6a9bbede2

f01db6d77ac21211992ceae4e66e1e03c1cb39d61e03645b9369f28252ca7693

dfe3d0e95feaed685a784aed14d087b019ba2eb0274947a840d2bdbae4ae3674

bf6083040ca51e83415f27c9412d9e3d700bd0841493b207bc96abf944ab0ca7

b154151dc8ace5c57f109e6bb211a019db20c4f0127c4d13c7703f730bf49276

6bf6b1bde63cee9b81902efd187fdd56ecee5853754ce0a19d5ab5c3b0242988

0dcf547bd8f4074af97416d8b84ea64b2f3319064aa4bce64ad0c2e2d3957175

6cff1249cc45b61ce8d28d87f8edc6616447e38168e610bed142f0b9c46ea684

5b5ebe019806885bbaafe37bc10ca09549e41c240b793fd29a70690a5d80b496

103d87098c9702cab7454b52869aeeb6a22919f29a7f19be7509255ce2d8c83e

c73675005a09008bc91d6bc3b5ad59a630ab4670dca6ac0d926165a3ecfd8d92

ef623aadd50330342dc464a31b843b3d8b5767d62a62f5e515ac2b380b208fbe

3ba3c528d11d1df62a969a282e9e54534fb3845962672ad6d8bbc29cb6d062f5

b763054180cd4e24c0a78b49055ad36dbc849f1a096cddf2db8cee0b9338c21d

d5ce4b04b7eec6530a4a9d40510177468fadc235253e5a74530a8c9d990f3c50

965a5949d8f94e17ebcd4cb6d0a7c19f49facbfc1b1c74111e5ceb83550d6c8f

44134b9d4b10d94f6381b446a1728b116d62e65c1a52db45235af12caf7e38c0

848d76a227f4fe282b7ddfd82a6dfc4c25da2735a684462b42fe4e1c413d8e34

5ca0a957fe6c253827f344da4ba8692d77a4e21a1df4251594be2d27d87dd8ae

016fa511f6546ed439d2606c6db8821685a99f5a14ef3f710668b58dc89c6926

22be594fbfa878f631c0632f6c4d260b00918817ff66a1f9f15efe44c1a58460

f3571ec66288405dab43332ca03812617f85fb08832fbbe1f1d89901fe034b8a

04c949eca23103b1de05278b49f42c3ab6b06f4bf20aafa5f2faefaa84c16ecd

e968affb1fc7756deb0e29807a06681d09a0425990be76b31816795875469e3d

d6fc04acda8f33a6d35eb577c27754c2f2b4d6f4869576c7c4e11b2c5e9b0176

18c0bd4dd98008383fc52045ad896449fa7f0037593bb730ed1ef88aa547006d

4c9d5469e9095813418260045c2b11e499e4eaa0ffb25293f90f580c464157df

0b5f1fbc05dc8baca492b748adeb01fb4904e02723b59211ecde222f7b12d91e

31ad5c4547ceae4d0550c8460524c16a6105afc056760e872c4966656256c9dc

edb00a0e5ff70e899857549e3263c887a799416c8bbab43ab130ca1be9bbd78c

96f852b81760a425befaa11ea37c0cdea2622630bf2a0c94bb95042211ab614d

57fd171a5b1a88e9583b42439851a91a940eb31105ab29cb314846da2ed43b82

277018b2cc6226dca6c7678cac6718c8584f7231340ad8cd7c03477559fdf48b

1acf5a461ee16336eb8bbf8d29982c7e26d5e11827c58ca01adac671a28b52ad

290a1b89517dec10bfd9938a0e86ae8c53b0c78ed7c60dc99e4f8e5837f4f24a

7937a1068f130a90b44781eea3351ba8a2776d0fede9699ba8b32f3198de045b

87e44bca3cc360c64cc7449ec1dc26b7d1708441d471bf3d36cd330db3576294

cf97d52551a96dacb089ac41463d21cab2b004ba8c38ffc6cb5fb0958ddd34db

79aa23c5a25c7cdbaba9c6c655c918dac3d9823ac62ebed9d7d3e94e1eaafc07

03d703f6d341be258ac3d95961ff0a67d4bf792f9e896530e193b091dca29c2e

a368b6755e62e5c0ff79ea1e3bd146ee8a349af309b4acf0558a9c667e78293a

ba933cefbe9a8034f0ba34e7d18481a7db7451c8ef4b6172fb0cad6db0513a51

URLs:

https://masadsasad[.]moy.su/base.txt

https://zuuse[.]000webhostapp.com/mi.exe

http://37[.]230.210.84/still/Build.exe

http://37[.]230.210.84/still/SoranoMiner.exe

http://187[.]ip-54-36-162.eu/steal.exe

http://bgtyu73[.]ru/22/Build.exe