Saturday, June 22, 2024
HomeComputerTelegram Abused to Steal Crypto-Wallet Credentials

Telegram Abused to Steal Crypto-Wallet Credentials

Cybercriminals use the Telegram handle “Smokes Night” to spread the malicious infostealer Echelon, which steals crypto currency and other account credentials.

Researchers say hackers are targeting the crypto-wallets of Telegram users with the Echelon infostealer as part of an attempt to defraud new or unsuspecting users of a cryptocurrency discussion channel on the messaging platform.

A number of messaging and file-sharing platforms, including Discord, Edge, FileZilla, OpenVPN, Outlook, even Telegram itself, are targeted by the malware, along with cryptocurrency wallets, including Atomic Wallet, BitcoinCore, ByteCoin, Exodus, Jaxx and Monero.

SafeGuard Cyber believes that the senders did not coordinate the campaign and were simply targeting new or naive users of the channel, based upon the malware and the way it was posted, according to the report.

It’s unclear whether attackers were successful in distributing Echelon on the channel using the handle “Smokes Night”, researchers found. They wrote, “The post seems to be unrelated to anything in the channel.”

It appears that the message was not noticed by any other users on the channel or engaged with by any of them. The malware didn’t reach users’ devices, but this doesn’t mean that it didn’t reach them, researchers said.

“There was no response to Smokes Night or complaint about the file, though this does not mean users did not get infected,” they wrote.

Cybercriminals have indeed used bots, malicious accounts, and other means to distribute malware on Telegram in order to capitalize on its popularity and wide attack surface.

Analysis of the Malware

Echelon was delivered to the cryptocurrency channel as part of a large .RAR file titled “present).rar” that contained three files: “pass -123.txt,” a benign text document containing a password; “DotNetZip.dll,” a toolkit and library that allows manipulation of .ZIP files; and “Present.exe,” a malicious executable for the Echelon credential stealer.

The payload, built in.NET, also contains obfuscation using the open-source ConfuserEx programme, as well as two anti-debugging methods that promptly terminate the process if a debugger or other malware analysis tools are identified.

Scientists eventually de-obscured the code and peeked under the hood of the Echelon sample delivered by Telegram. Researchers wrote that the sample contains domain detection, so it will also attempt to steal data regarding any domain that the victim has visited. Several platforms are listed in the report that Echelon attempted to target.

The malware can also take a screenshot of the victim’s computer as well as detect computer fingerprints, researchers said. According to the researchers, the exploit sample that was lifted from the campaign sends stolen credentials and screenshots back to a command-and-control server in the form of a compressed .ZIP file.

Microsoft’s Windows Defender can detect and remove the malicious Present.exe executable sample and detects it as #LowFI:HookwowLow, preventing users with its antivirus software from being harmed by Echelon.





Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us