Bitcoin went into meltdown starting September 24 when the BTC price dropped by more than 10% in what some highly-respected commentators referred to as a bitcoin crash. The bad news for bitcoin continued through the week, with the price continuing to fluctuate around, and below, $8,000 (£6,500). Now bitcoin buyers have been issued a warning concerning another threat to their cryptocurrency investment; an “active and ongoing” threat campaign that steals bitcoin wallets.
What is the Masad Clipper and Stealer?
Security researchers from Juniper Threat Labs have reported how spyware delivered by a Trojan and using the encrypted Telegram messaging platform for data exfiltration, targets cryptocurrency wallets.
The off-the-shelf malware, identified as “Masad Clipper and Stealer,” is currently being distributed in black market forums online. The malware starts off free, but the prices ramp up to $85 (£69) for the versions with the most functionality. Juniper researchers discovered a Telegram group, with more than 300 members, where potential buyers can learn more and, it is thought, also get tech support. The Telegram messaging service, with more than 200 million users worldwide, is also being deployed as a command and control (C2) channel for the malware to provide anonymity to the operators. I say operators for a good reason: Masad is sold as an off-the-shelf package and therefore being used by multiple criminal actors. The Juniper researchers have found 338 different Telegram C2 bot IDs to date, which ties in nicely with the Telegram Masad support group membership.
What is the Masad infection vector?
Juniper researchers have said that the main route to infection being used by those behind the Masad attacks has been to pose as a legitimate application, or sometimes bundling the malware executables into third-party tools, to fool the unwary victim. These downloads are advertised, and linked to, in user forums, third party download sites and file-sharing sites. Just some of the software and tools that Masad is known to currently be masquerading as include a Fortnite game aimbot, fake updates for Samsung Galaxy smartphones and the CCleaner system clean up application. The full list can be found in the Juniper research report.
How does Masad steal your bitcoin?
The malware is, at heart, simple spyware: it looks for sensitive data through the web browser including credit card details, passwords, autofill fields, cookies, installed software and processes, desktop files and system information.
Oh yes, and cryptocurrency wallets.
One function of the Masad malware is to interrogate the system clipboard looking for data that matches the configuration of specific cryptocurrency wallets. If a match is detected, then Masad replaces that clipboard data, that wallet, with a wallet belonging to the attacker which is coded into the malware binary. As well as bitcoin, Masad will look for almost every other cryptocurrency; these are opportunist cybercriminals and they will not overlook any chance to make a quick profit.
Mitigating the Masad bitcoin wallet-stealing risk
The mitigation advice is not to download software, tools or services through anything other than an official app store or manufacturer site. “In order to protect your organization, make sure that you have a next-generation firewall (NGFW) with Advanced Threat Protection,” Juniper researchers said, “NGFWs have the ability to identify the Telegram protocol and block it, if there is no legitimate business use, while Advanced Threat Protection products offer other methods to detect and counteract this malware.”