An attack targeting users of several file-sharing and messaging platforms has been discovered using a new variant of the Echelon credential stealer malware.
How the news get discovered?
SafeGuard Cyber researchers discovered a sample of the Echelon malware posted on a Telegram channel.
- Telegram handle Smokes Night was used by the attackers to spread the malware.
- There was no coordinated effort behind the campaign, according to researchers.
- Attackers lured novices and unsuspecting users by posting in a Telegram channel devoted to discussions about cryptocurrency. Infecting users with the Echelon infostealer was the ultimate objective.
Information thief at Echelon
- Infostealer malware, known as IEchelon, was first discovered in 2018.
- A group of hackers called Echelon has begun stealing login credentials for file-sharing and messaging platforms, including FileZilla, Discord, Outlook, Edge, OpenVPN, and Telegram.
- Additionally, the malware targets the credentials for a number of crypto currency wallets, including Exodus, BitcoinCore, ByteCoin, Jaxx, AtomicWallet, and Monero.
More technical information
The Echelon credential stealer was delivered to the cryptocurrency channel in an.RAR file named “present).rar,” which contained three files: “pass – 123.txt,” a benign text document containing a password; “DotNetZip.dll,” a nonmalicious class library and toolset for manipulating.ZIP files; and “Present.exe,” the malicious executable for the Echelon credential stealer.
Two anti-debugging functions are included in Echelon malware, which stop the process as soon as the malware detects a debugger or malware analysis tool.
The payload also included several functions designed to make it difficult to detect or analyze, including a debugging function that terminates the malware process if a debugger or other malware analysis tool detects it, and ConfuserEx obfuscation.
Researchers were eventually able to decode the code and look inside the Echelon sample that was sent to Telegram channel users.
Researchers discovered domain detection, which implies the sample would try to steal data from any domain the victim has visited, according to the researchers.
The report includes a complete list of platforms that the Echelon sample attempted to target.
Computer fingerprinting and the capacity to snap a screenshot of the victim’s workstation are among the malware’s other features, according to researchers.
According to them, the Echelon sample taken from the campaign uses a compressed.ZIP file to deliver credentials, other stolen data, and screenshots back to a command-and-control server.
Windows Defender recognizes and deletes the malicious Present.exe executable sample as #LowFI:HookwowLow and protects users with antivirus software from the potential damage resulting from Echelon, researchers said.
In fact, Telegram has become a hotbed of cybercrime activity, with cybercriminals using bots, compromised accounts, and other means to spread malware on the platform due to its popularity and broad attack surface.
Conclusion
Echelon infostealer is able to entice unsuspecting users using trusted social media channels such as Telegram. A number of popular cryptocurrency wallets are targeted, so all cryptocurrency users are at risk.