Posted on June 1, 2021 at 1:31 PM
The Telegram messenger app may have a function that interests threat actors. A recent report reveals that the ads on the app are been used to launch attacks on cryptocurrency holders using samples of the HackBoss malware.
The malware copies crypto addresses
The threat actors used the HackBoss Telegram messenger medium to advertise apps claiming to be the best hackers online.
However, the fake apps contain links to anonymous or encrypted file storage that is downloaded as a .Zip file. If the user opens the file, It runs a .exe program that easily decrypts and executes a malicious payload when a user clicks on the program.
Also, the action of the user can put the malware into action at startup and every time there is a scheduled task.
After HackBoss becomes active on the targeted system, it checks the clipboard content regularly to pick up anything that looks like a crypto wallet address. After finding a crypto address format, it automatically replaces it with another address to steal the user’s funds.
Apart from promoting their malware, the makers of the HackerBoss Telegram messenger also used a website that contains promotional blog posts. They also take advantage of videos and adverts on public forums and YouTube channels for their promotional goals.
Ironically, the campaign is targeting those who are looking to make money through illegal means themselves.
AVAST security firm discovered more than 100 crypto assets that belong to the malware family’s creators. The report revealed that the wallets have a total of $560,000 worth of cryptocurrencies at the time Avast was analyzing it.
But the amount stolen is probably not up to that according to the security firm. It further revealed that the threat actors use some of the wallet addresses to deceive users to purchase fake software online. Also, other campaigns were likely carried out by the HackerBoss handlers using the same crypto addresses.
Other malware campaign involved Telegram
Telegram has also been used by other malware campaigns in the past apart from HackBoss. In October last year, G Data Software stated that the T-RAT 2.0 threat tool was used by threat actors to send commends over the Telegram messenger.
The malware gives the controller the power to capture screenshots, steal crypto addresses using clipboard information, and steal passwords.
Earlier this year, a malicious ad was directing its targets to a bogus Windows version of Telegram. The threat actors cloned the website and planted the AZORult infostealer sample in systems that visited the fake website.
After that, last month CheckPoint Research revealed that a remote access Trojan dubbed “ToxicEye” has been used by threat actors to launch attacks on users through the Telegram messenger app. The hackers utilized phishing emails to distribute the malicious.exe. After the malware becomes active, it steals data, deletes files, and encrypts the stolen data before sending it to the control server of the threat actor.
Protection against HackBoss and other similar malware
Security researchers have advised users how they can stay protected against malware like HackBoss. Such attacks show the need for organizations and institutions to stay cautious when it comes to transactions involving cryptocurrencies. To beef up security, users and crypto holders need to be very sure about the wallet address they are sending money to. Additionally, they should enable multi-factor authentication (MFA) to prevent the threat actors from having unauthorized access to their accounts.
With MFA, it will be more difficult for threat actors to steal users’ passwords as they need to go through an additional security protocol even if they manage to circumvent the first protocol by stealing users’ passwords. So many users have succeeded in preventing the theft of their cryptocurrencies by enabling an additional security check.
Also, users have been advised to use strong antivirus software that can monitor and detect all negative vices hackers use to infiltrate their targets’ systems.