Juniper Threat Labs has discovered a new Trojan that spreads spyware. The spyware uses Telegram to get stolen information. By using Telegram as a Command and Control (CnC) channel, the malware has the potential to infect the devices of some 200 million active users every month.

The malware is called “Masad Clipper and Stealer” on underground forums. Masad Stealer collects data and sends it to a Telegrambot managed by the individual who is using Masad. Because the malware is offered as a ready-made ‘product’, it can be used by numerous cyber criminals, who do not have to be the original creators of the malware.

The malicious software steals browser information, which may contain usernames, passwords, and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets on the user’s clipboard with its own wallet, making it possible to steal cryptocurrency.

How it works

According to Juniper, the new malware was built using Autoit scripts. These are then compiled into a Windows executable. Masad Stealer is executed in %APPDATA%\map_name}\{file name}\{file name}\{file name}, where directory_name and file name are derived from the binary. Examples include amd64_usbhub3.inf.resources and ws2_32.exe. Masad Stealer also creates a scheduled task every minute, in order to keep functioning as long as possible.

After installation, Masad Stealer starts collecting sensitive information from the system. In addition to e.g. cryptographic data, system information is also stolen, as well as credit card data and browser passwords. Information about installed software and processes is also captured, with a number of frequently used programs including Steam and Discord.

Juniper’s research shows that Masad Stealer is distributed in Trojans that are disguised as a legitimate application. Sometimes the malware is bundled in tools of other programs. Cybercriminals reach users by advertising on forums, on third party download sites or on file-sharing sites. Juniper’s blog provides more information about programs imitated by the Trojan.