Cybercriminals use the Telegram handle “Smokes Night” to spread the malicious infostealer Echelon, which steals crypto currency and other account credentials.
Researchers say hackers are targeting the crypto-wallets of Telegram users with the Echelon infostealer as part of an attempt to defraud new or unsuspecting users of a cryptocurrency discussion channel on the messaging platform.
A number of messaging and file-sharing platforms, including Discord, Edge, FileZilla, OpenVPN, Outlook, even Telegram itself, are targeted by the malware, along with cryptocurrency wallets, including Atomic Wallet, BitcoinCore, ByteCoin, Exodus, Jaxx and Monero.
SafeGuard Cyber believes that the senders did not coordinate the campaign and were simply targeting new or naive users of the channel, based upon the malware and the way it was posted, according to the report.
It’s unclear whether attackers were successful in distributing Echelon on the channel using the handle “Smokes Night”, researchers found. They wrote, “The post seems to be unrelated to anything in the channel.”
It appears that the message was not noticed by any other users on the channel or engaged with by any of them. The malware didn’t reach users’ devices, but this doesn’t mean that it didn’t reach them, researchers said.
“There was no response to Smokes Night or complaint about the file, though this does not mean users did not get infected,” they wrote.
Cybercriminals have indeed used bots, malicious accounts, and other means to distribute malware on Telegram in order to capitalize on its popularity and wide attack surface.
Analysis of the Malware
Echelon was delivered to the cryptocurrency channel as part of a large .RAR file titled “present).rar” that contained three files: “pass -123.txt,” a benign text document containing a password; “DotNetZip.dll,” a toolkit and library that allows manipulation of .ZIP files; and “Present.exe,” a malicious executable for the Echelon credential stealer.
The payload, built in.NET, also contains obfuscation using the open-source ConfuserEx programme, as well as two anti-debugging methods that promptly terminate the process if a debugger or other malware analysis tools are identified.
Scientists eventually de-obscured the code and peeked under the hood of the Echelon sample delivered by Telegram. Researchers wrote that the sample contains domain detection, so it will also attempt to steal data regarding any domain that the victim has visited. Several platforms are listed in the report that Echelon attempted to target.
The malware can also take a screenshot of the victim’s computer as well as detect computer fingerprints, researchers said. According to the researchers, the exploit sample that was lifted from the campaign sends stolen credentials and screenshots back to a command-and-control server in the form of a compressed .ZIP file.
Microsoft’s Windows Defender can detect and remove the malicious Present.exe executable sample and detects it as #LowFI:HookwowLow, preventing users with its antivirus software from being harmed by Echelon.