ESET researchers analyzed Android and Home windows clippers that may tamper with immediate messages and use OCR to steal cryptocurrency funds
ESET researchers have found dozens of copycat Telegram and WhatsApp web sites focusing on primarily Android and Home windows customers with trojanized variations of those immediate messaging apps. A lot of the malicious apps we recognized are clippers – a kind of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with a number of focusing on cryptocurrency wallets. This was the primary time we have now seen Android clippers focusing particularly on immediate messaging. Furthermore, a few of these apps use optical character recognition (OCR) to acknowledge textual content from screenshots saved on the compromised gadgets, which is one other first for Android malware.
- ESET Analysis has discovered the primary occasion of clippers constructed into immediate messaging apps.
- Menace actors are going after victims’ cryptocurrency funds utilizing trojanized Telegram and WhatsApp purposes for Android and Home windows.
- The malware can change the cryptocurrency pockets addresses the sufferer sends in chat messages for addresses belonging to the attacker.
- A few of the clippers abuse optical character recognition to extract textual content from screenshots and steal cryptocurrency pockets restoration phrases.
- Along with clippers, we additionally discovered distant entry trojans (RATs) bundled with malicious Home windows variations of WhatsApp and Telegram.
Previous to the institution of the App Defense Alliance, we found the first Android clipper on Google Play, which led to Google enhancing Android safety by restricting system-wide clipboard operations for apps operating within the background for Android variations 10 and better. As is sadly proven by our newest findings, this motion didn’t reach weeding the issue out utterly: not solely did we determine the primary immediate messaging clippers, we uncovered a number of clusters of them. The primary goal of the clippers we found is to intercept the sufferer’s messaging communications and change any despatched and acquired cryptocurrency pockets addresses with addresses belonging to the attackers. Along with the trojanized WhatsApp and Telegram Android apps, we additionally discovered trojanized Home windows variations of the identical apps.
After all, these should not the one copycat purposes to go after cryptocurrencies – simply initially of 2022, we identified menace actors centered on repackaging legit cryptocurrency purposes that attempt to steal restoration phrases from their victims’ wallets.
Overview of the trojanized apps
As a result of totally different structure of Telegram and WhatsApp, the menace actors had to decide on a unique strategy to create trojanized variations of every of the 2. Since Telegram is an open-source app, altering its code whereas protecting the app’s messaging performance intact is comparatively simple. However, WhatsApp’s supply code will not be publicly accessible, which signifies that earlier than repackaging the appliance with malicious code, the menace actors first needed to carry out an in-depth evaluation of the app’s performance to determine the particular locations to be modified.
Regardless of serving the identical common goal, the trojanized variations of those apps include numerous further functionalities. For higher ease of research and rationalization, we cut up the apps into a number of clusters based mostly on these functionalities; on this blogpost, we are going to describe 4 clusters of Android clippers and two clusters of malicious Home windows apps. We is not going to go into the menace actors behind the apps, as there are a number of of them.
Earlier than briefly describing these app clusters although, what’s a clipper and why would cyberthieves use one? Loosely, in malware circles, a clipper is a bit of malicious code that copies or modifies content material in a system’s clipboard. Clippers are thus enticing to cybercriminals inquisitive about stealing cryptocurrency as a result of addresses of on-line cryptocurrency wallets are composed of lengthy strings of characters, and as an alternative of typing them, customers have a tendency to repeat and paste the addresses utilizing the clipboard. A clipper can benefit from this by intercepting the content material of the clipboard and surreptitiously changing any cryptocurrency pockets addresses there with one the thieves can entry.
Cluster 1 of the Android clippers additionally constitutes the primary occasion of Android malware utilizing OCR to learn textual content from screenshots and images saved on the sufferer’s machine. OCR is deployed with the intention to discover and steal a seed phrase, which is a mnemonic code comprised of a sequence of phrases used for recovering cryptocurrency wallets. As soon as the malicious actors pay money for a seed phrase, they’re free to steal all of the cryptocurrency immediately from the related pockets.
In comparison with Cluster 1’s use of superior know-how, Cluster 2 could be very simple. This malware merely switches the sufferer’s cryptocurrency pockets handle for the attacker’s handle in chat communication, with the addresses both being hardcoded or dynamically retrieved from the attacker’s server. That is the one Android cluster the place we recognized trojanized WhatsApp samples along with Telegram.
Cluster 3 screens Telegram communication for sure key phrases associated to cryptocurrencies. As soon as such a key phrase is acknowledged, the malware sends the complete message to the attacker server.
Lastly, the Android clippers in Cluster 4 not solely change the sufferer’s pockets handle, however additionally they exfiltrate inner Telegram information and primary machine data.
Concerning the Home windows malware, there was a cluster of Telegram cryptocurrency clippers whose members merely intercept and modify Telegram messages with the intention to change cryptocurrency pockets addresses, identical to the second cluster of Android clippers. The distinction is within the supply code of the Home windows model of Telegram, which required further evaluation on the a part of the malicious actors, to have the ability to implement inputting their very own pockets handle.
In a departure from the established sample, the second Home windows cluster will not be comprised of clippers, however of distant entry trojans (RATs) that allow full management of the sufferer’s system. This fashion, the RATs are capable of steal cryptocurrency wallets with out intercepting the appliance circulate.
Distribution
Based mostly on the language used within the copycat purposes, plainly the operators behind them primarily goal Chinese language-speaking customers.
As a result of each Telegram and WhatsApp have been blocked in China for a number of years now, with Telegram being blocked since 2015 and WhatsApp since 2017, individuals who want to use these providers need to resort to oblique technique of acquiring them. Unsurprisingly, this constitutes a ripe alternative for cybercriminals to abuse the state of affairs.
Within the case of the assaults described on this blogpost, the menace actors first arrange Google Adverts resulting in fraudulent YouTube channels, which then redirect the unlucky viewers to copycat Telegram and WhatsApp web sites, as illustrated in Determine 1. On high of that, one specific Telegram group additionally marketed a malicious model of the app that claimed to have a free proxy service outdoors of China (see Determine 2). As we found these fraudulent advertisements and associated YouTube channels, we reported them to Google, which promptly shuttered all of them.
At first look, it may appear that the best way these copycat apps are distributed is kind of convoluted. Nevertheless, it’s attainable that with Telegram, WhatsApp, and the Google Play app all being blocked in China, Android customers there are used to leaping by way of a number of hoops in the event that they wish to receive formally unavailable apps. Cybercriminals are conscious of this and attempt to ensnare their victims proper from the get-go – when the sufferer searches Google for both a WhatsApp or a Telegram app to obtain. The menace actors bought Google Adverts (see Determine 3) that redirect to YouTube, which each helps the attackers to get to the highest of search outcomes, and likewise avoids getting their pretend web sites flagged as scams, because the advertisements hyperlink to a legit service that Google Adverts presumably considers very reliable.
The hyperlinks to the copycat web sites can often be discovered within the “About” part of the YouTube channels. An instance of such an outline may be seen in a really tough translation in Determine 4.
Throughout our analysis, we discovered lots of of YouTube channels pointing to dozens of counterfeit Telegram and WhatsApp web sites – some may be seen in Determine 5. These websites impersonate legit providers (see Determine 6) and supply each desktop and cellular variations of the app for obtain. Not one of the analyzed apps had been accessible on the Google Play retailer.
Determine 6. Web sites mimicking Telegram and WhatsApp
Evaluation
We discovered numerous varieties of malicious code being repackaged with legit Telegram and WhatsApp apps. Whereas the analyzed apps have sprung up at roughly on the identical time utilizing a really related sample, plainly they weren’t all developed by the identical menace actor. Apart from a lot of the malicious apps with the ability to change cryptocurrency addresses in Telegram and WhatsApp communications, there aren’t any indications of additional connections between them.
Whereas the pretend web sites provide obtain hyperlinks for all working methods the place Telegram and WhatsApp can be found, all Linux and macOS hyperlinks, in addition to most iOS hyperlinks, redirect to the providers’ official web sites. Within the case of the few iOS hyperlinks that do result in fraudulent web sites, the apps had been now not accessible for obtain on the time of our evaluation. Home windows and Android customers thus represent the principle targets of the assaults.
Android trojans
The primary goal of the trojanized Android apps is to intercept victims’ chat messages, and both swap any cryptocurrency pockets addresses for these belonging to the attackers, or exfiltrate delicate data that will permit attackers to steal victims’ cryptocurrency funds. That is the primary time we have now seen clippers that particularly goal immediate messaging.
To have the ability to modify messages, the menace actors needed to totally analyze the unique code of each providers’ apps. Since Telegram is an open-source software, the cybercriminals solely needed to insert their very own malicious code into an current model and compile it; within the case of WhatsApp, nonetheless, the binary needed to be modified immediately and repackaged so as to add the malicious performance.
We noticed that when changing pockets addresses, the trojanized apps for Telegram behave in another way from these for WhatsApp. A sufferer utilizing a malicious Telegram app will maintain seeing the unique handle till the appliance is restarted, whereupon the displayed handle would be the one which belongs to the attacker. In distinction, the sufferer’s personal handle might be seen in despatched messages if utilizing a trojanized WhatsApp, whereas the message recipient will obtain the attacker handle. That is proven in Determine 7.
Cluster 1
Cluster 1 is essentially the most intriguing, since its members represent the primary recognized occasion of OCR abuse in any Android malware. On this case, trojanized Telegram apps use a legit machine studying plugin referred to as ML Kit on Android to look the sufferer’s machine for photographs with .jpg and .png extensions, the commonest screenshot codecs on Android. The malware seems for screenshots of cryptocurrency pockets restoration phrases (also called mnemonics) that the sufferer may need saved on the machine as a backup.
Malicious performance that iterates by way of recordsdata on the machine and runs them by way of the OCR recognizeText perform may be seen in Determine 8.
As proven in Determine 9, if the recognizeText finds the string mnemonic or 助记词 (mnemonic in Chinese language) within the textual content extracted from the picture, it sends each the textual content and the picture to the C&C server. In choose circumstances we have now seen the checklist of key phrases expanded to eleven entries, particularly 助记词, Mnemonic, memorizing, Memorizing, restoration phrase, Restoration Phrase, pockets, METAMASKA, Phrase, secret, Restoration phrase.
Cluster 2
In distinction with Cluster 1, which employs superior strategies to assist in its malicious actions, the second cluster of Android clippers is the least difficult among the many 4: these malicious apps merely swap pockets addresses, with out additional malicious performance. The trojans in Cluster 2 principally change addresses for bitcoin, Ethereum, and TRON coin wallets, with a number of of them additionally with the ability to change wallets for Monero and Binance. The way in which the messages are intercepted and modified may be seen in Figures 10 and 11.
Cluster 2 is the one Android cluster the place we discovered not solely Telegram, but in addition WhatsApp samples. Each varieties of trojanized apps both have a hardcoded checklist of attacker pockets addresses (as seen in Determine 11) or dynamically request them from a C&C server, as seen in Determine 12.
Cluster 3
This cluster screens Telegram communication for specific key phrases in Chinese language, reminiscent of “mnemonic”, “financial institution”, “handle”, “account” and “Yuan”. A few of the key phrases are hardcoded, whereas others are acquired from the C&C server, that means they could possibly be modified or expanded at any time. As soon as a Cluster 3 clipper acknowledges a key phrase, the entire message, together with the username, group or channel title, is distributed to the C&C server, as may be seen in Determine 13.
Cluster 4
The final recognized cluster of Android clippers, Cluster 4, can’t solely change cryptocurrency addresses, but in addition exfiltrate the sufferer’s Telegram information by acquiring their configuration recordsdata, telephone quantity, machine data, footage, Telegram username, and the checklist of put in apps. Logging into these malicious variations of the Telegram app signifies that all the private inner information saved inside, reminiscent of messages, contacts, and configuration recordsdata, grow to be seen to the menace actors.
To exhibit, let’s concentrate on this cluster’s most intrusive trojanized app: this malware combs the inner Telegram storage for all recordsdata smaller than 5.2 MB and and not using a.jpg extension and steals them. Moreover, it will probably additionally exfiltrate primary details about the machine, the checklist of put in purposes, and telephone numbers. All of the stolen recordsdata are archived in an information.zip file, which is then exfiltrated to the C&C. All malware inside this cluster makes use of the identical ZIP filename, suggesting a standard creator or codebase. The checklist of the recordsdata exfiltrated from our evaluation machine may be seen in Determine 14.
Home windows trojans
Versus the trojanized Android apps we found, the Home windows variations consist not solely of clippers, but in addition of distant entry trojans. Whereas the clippers focus primarily on cryptostealing, the RATs are able to a greater variety of malicious actions reminiscent of taking screenshots and deleting recordsdata. A few of them can even manipulate the clipboard, which might permit them to steal cryptocurrency wallets. The Home windows apps had been discovered on the identical domains because the Android variations.
Cryptocurrency clippers
We found two samples of Home windows cryptocurrency clippers. Identical to Cluster 2 of the Android clippers, these intercept and modify messages despatched by way of a trojanized Telegram shopper. They use the identical pockets addresses because the Android cluster, that means that they most likely come from the identical menace actor.
The primary of the 2 clipper samples is distributed as a transportable executable with all the mandatory dependencies and data embedded immediately in its binary. This fashion, no set up takes place after the computer virus is executed, protecting the sufferer unaware that one thing is amiss. The malware intercepts not solely messages between customers, but in addition all saved messages, channels, and teams.
Much like the associated Android Cluster 2, the code liable for modifying the messages makes use of hardcoded patterns to determine the cryptocurrency addresses inside messages. These are highlighted in yellow in Determine 15. If discovered, the code replaces the unique addresses with the corresponding addresses belonging to the attacker (highlighted in pink). This clipper focuses on bitcoin, Ethereum, and TRON.
The second clipper makes use of a regular set up course of, the identical because the legit Telegram installer. Nevertheless, even when the method outwardly seems harmless, the put in executable is much from benign. In comparison with legit Telegram, it incorporates two further recordsdata encrypted utilizing a single byte XOR cipher with the important thing 0xff. The recordsdata include a C&C server handle and an agent ID used to speak with the C&C.
This time, no hardcoded addresses are used. As an alternative, the clipper obtains each the message patterns and the corresponding cryptocurrency pockets addresses from the C&C by way of an HTTP POST request. The communication with the C&C works in the identical approach as proven in Cluster 2 of Android clippers (Determine 12).
Along with swapping cryptocurrency pockets addresses, this clipper can even steal the sufferer’s telephone quantity and Telegram credentials. When an individual compromised by this trojanized app tries to log in on a brand new machine, they’re requested to place within the login code despatched to their Telegram account. As soon as the code arrives, the notification is routinely intercepted by the malware, and the verification code together with the non-obligatory password find yourself within the arms of the menace actors.
Much like the primary Home windows clipper pattern, any message despatched utilizing this malicious model of Telegram containing bitcoin, Ethereum, or TRON cryptocurrency pockets addresses might be modified to exchange the addresses for these supplied by the attacker (see Determine 16). Nevertheless, in contrast to the Android model, the victims won’t be able to find that their messages have been tampered with with out evaluating chat histories: even after restarting the app, the sender will all the time see the unique model of the message because the related a part of the code is executed once more on software begin; the recipient, alternatively, will solely obtain the attacker pockets.
Determine 16. Respectable Telegram shopper (left) and trojanized one (proper)
Distant entry trojans
The remainder of the malicious apps we found are distributed within the type of Telegram and WhatsApp installers bundled with distant entry trojans. As soon as the RATs have gained entry to the system, neither Telegram nor WhatsApp must run for the RATs to function. Within the noticed samples, malicious code was principally executed not directly through the use of DLL Side-loading, thus permitting the attackers to cover their actions behind the execution of legit purposes. These RATs differ considerably from the clippers, since they don’t explicitly concentrate on stealing cryptocurrency wallets. As an alternative, they include a number of modules with a variety of functionalities, permitting the menace actors to carry out actions reminiscent of stealing clipboard information, logging keystrokes, querying Home windows Registry, capturing the display, acquiring system data, and performing file operations. Every RAT we found used a barely totally different mixture of modules.
With one exception, all of the distant entry trojans we analyzed had been based mostly on the infamous Gh0st RAT, malware that’s ceaselessly utilized by cybercriminals as a consequence of its public availability. As an fascinating apart, Gh0st RAT’s code makes use of a particular packet flag set to Gh0st by default, a worth that menace actors wish to customise. In altering the flag, they will use one thing that makes extra sense for his or her model of the malware, or they will use no flags in any respect. They’ll additionally, as in a single case noticed throughout our evaluation, reveal their deepest needs by altering the flag to lambo (as in, the nickname for the Italian luxurious automotive model; see Determine 17).
The one RAT among the many group that wasn’t utterly based mostly on Gh0st RAT used the code from the HP-socket library to speak with its C&C server. In comparison with the opposite RATs, this one makes use of considerably extra anti-analysis runtime checks throughout its execution chain. Whereas its supply code definitely differs from the remainder of the trojans found, its performance is principally equivalent: it’s able to performing file operations, acquiring system data and the checklist of operating applications, deleting profiles of generally used browsers, downloading and operating a doubtlessly malicious file, and so forth. We suspect that it is a customized construct that could possibly be impressed by the Gh0st implementation.
Prevention and uninstallation
Android
Set up apps solely from reliable and dependable sources such because the Google Play retailer.
In case you are sharing cryptocurrency pockets addresses by way of the Android Telegram app, double examine whether or not the handle you despatched matches the handle that’s displayed after restarting the appliance. If not, warn the recipient to not use the handle and attempt to take away the message. Sadly, this system can’t be utilized to trojanized WhatsApp for Android.
Bear in mind that the earlier tip doesn’t apply within the case of trojanized Telegram; because the recipient of the pockets handle solely sees the attacker pockets, they are going to be unable to inform whether or not the handle is real.
Don’t retailer unencrypted footage or screenshots containing delicate data, reminiscent of mnemonic phrases, passwords, and personal keys, in your machine.
In case you imagine you’ve gotten a trojanized model of Telegram or WhatsApp, manually take away it out of your machine and obtain the app both from Google Play, or immediately from the legit web site.
Home windows
In case you aren’t certain whether or not your Telegram installer is legit, examine if the file’s digital signature is legitimate and issued to Telegram FZ-LLC.
In case you suspect that your Telegram app is malicious, we advise that you simply use a safety resolution to detect the menace and take away it for you. Even when you don’t personal such software program, you possibly can nonetheless use the free ESET Online Scanner.
The one official model of WhatsApp for Home windows is at the moment accessible within the Microsoft retailer. In case you put in the appliance from every other supply, we advise you to delete it after which to scan your machine.
Conclusion
Throughout our analysis of trojanized Telegram and WhatsApp apps distributed by way of copycat web sites, we found the primary cases of Android clippers that intercept immediate messages and swap victims’ cryptocurrency pockets addresses for the attacker’s handle. Moreover, among the clippers abused OCR to extract mnemonic phrases out of photographs saved on the victims’ gadgets, a malicious use of the display studying know-how that we noticed for the primary time.
We additionally discovered Home windows variations of the wallet-switching clippers, in addition to Telegram and WhatsApp installers for Home windows bundled with distant entry trojans. By their numerous modules, the RATs allow the attackers management over the victims’ machines.
IoCs
Recordsdata
SHA-1 | Package deal Title | Detection | Description |
---|---|---|---|
C3ED82A01C91303C0BEC36016D817E21615EAA07 | org.telegram.messenger | Android/Clipper.I | Trojanized model of Telegram for Android in Cluster 4. |
8336BF07683F40B38840865C60DB1D08F1D1789D | org.telegram.messenger | Android/Clipper.I | Trojanized model of Telegram for Android in Cluster 4. |
E67065423DA58C0025E411E8E56E0FD6BE049474 | org.tgplus.messenger | Android/Clipper.J | Trojanized model of Telegram for Android in Cluster 1. |
014F1E43700AB91C8C5983309751D952101B8ACA | org.telegram.messenger | Android/Clipper.Ok | Trojanized model of Telegram for Android in Cluster 2 and Cluster 3. |
259FE1A121BA173B2795901C426922E32623EFDA | org.telegram.messenger.web2 | Android/Clipper.L | Trojanized model of Telegram for Android in Cluster 2. |
0A79B29FC0B04D3C678E9B95BFF72A9558A632AC | org.telegram.messenger | Android/Clipper.M | Trojanized model of Telegram for Android in Cluster 1. |
D44973C623E680EE0A4E696C99D1AB8430D2A407 | org.telegram.messenger | Android/Clipper.N | Trojanized model of Telegram for Android in Cluster 1. |
88F34441290175E3AE2FE0491BFC206899DD158B | org.telegram.messenger | Android/Clipper.O | Trojanized model of Telegram for Android in Cluster 4. |
0936D24FC10DB2518973C17493B6523CCF8FCE94 | io.busniess.va.WhatsApp | Android/Clipper.V | |
8E98438103C855C3E7723140767749DEAF8CA263 | com.whatsapp | Android/Clipper.V | Trojanized model of WhatsApp for Android in Cluster 1. |
5243AD8BBFBC4327B8C4A6FD64401912F46886FF | com.whatsapp | Android/Clipper.V | Trojanized model of WhatsApp for Android in Cluster 1. |
SHA-1 | Filename | Detection | Description |
---|---|---|---|
646A70E4F7F4502643CDB9AA241ACC89C6D6F1C0 | Telegram.exe | Win32/Agent.AEWM | Trojanized model of Home windows Telegram within the first cluster. |
858A5B578A0D8A0D511E502DE16EC2547E23B375 | Telegram.exe | Win64/PSW.Agent.CS | Trojanized model of Home windows Telegram within the first cluster. |
88AAC1C8AB43CD540E0677BAA1A023FDA88B70C4 | Telegram.exe | Win64/PSW.Agent.CT | Trojanized model of Home windows Telegram within the first cluster. |
F3D2CCB4E7049010B18A3300ABDEB06CF3B75FFA | Telegram.exe | Win64/PSW.Agent.CT | Trojanized model of Home windows Telegram within the first cluster. |
A5EB91733FD5CDC8386481EA9856C20C71254713 | 1.exe | Win32/TrojanDownloader.Agent.GLD | Malicious downloader from trojanized Telegram within the second Home windows cluster. |
34FA6E6B09E08E84D3C544F9039CB14624080A19 | libcef.dll | Win32/Kryptik.HMVR | Malicious DLL from trojanized Telegram within the second Home windows cluster. |
5E4021AE96D4B28DD27382E3520E8333288D7095 | 1.txt | Win32/Farfli.BUR | Gh0st RAT variant within the second Home windows cluster. |
14728633636912FB91AE00342D7C6D7050414D85 | BASICNETUTILS.dll | Win32/Agent.AEMT | Malicious DLL from trojanized Telegram within the second Home windows cluster. |
B09E560001621AD79BE31A8822CA72F3BAC46F64 | BASICNETUTILS.dll | Win32/Agent.AEMT | Malicious DLL from trojanized Telegram within the second Home windows cluster. |
70B8B5A0BFBDBBFA6BA6C86258C593AD21A89829 | templateX.TXT | Win32/Farfli.CUO | Gh0st RAT variant within the second Home windows cluster. |
A51A0BCCE028966C4FCBB1581303980CF10669E0 | templateX.TXT | Win32/Farfli.CUO | Gh0st RAT variant within the second Home windows cluster. |
A2883F344831494C605598B4D8C69B23A896B71A | collec.exe | Win64/GenKryptik.FZHX | Malicious downloader from trojanized Home windows Telegram within the second cluster. |
F8005F22F6E8EE31953A80936032D9E0C413FD22 | ZM.log | Win32/Farfli.DBP | RAT that makes use of HP-Socket library for communication with C&C within the second Home windows cluster. |
D2D2B0EE45F0540B906DE25B1269D257578A25BD | DuiLib.dll | Win32/Agent.AEXA | Malicious DLL from trojanized Home windows Telegram within the second cluster. |
564F7A88CD5E1FF8C318796127A3DA30BDDE2AD6 | Telegram.msi | Win32/TrojanDownloader.Agent.GLD | Trojanized model of Home windows Telegram installer within the second cluster . |
C5ED56584F224E7924711EF47B39505D4D1C98D2 | TG_ZH.exe | Win32/Farfli.CUO | Trojanized model of Home windows Telegram installer within the second cluster. |
2DCDAAAEF094D60BC0910F816CBD42F3C76EBEE9 | TG_CN.exe | Win32/Farfli.CUO | Trojanized model of Home windows Telegram installer within the second cluster. |
31878B6FC6F96703AC27EBC8E786E01F5AEA5819 | telegram.exe | Win64/PSW.Agent.CS | Trojanized model of Home windows Telegram installer within the first cluster. |
58F7E6E972774290DF613553FA2120871436B9AA | 飞机中文版X64.zip (machine translation: Plane Chinese language Model) | Win64/GenKryptik.FZHX trojan | Archive containing trojanized model of Home windows Telegram installer within the second cluster. |
CE9CBB3641036E7053C494E2021006563D13E1A6 | Telegram.7z | Win32/Agent.AEWM trojan | Archive containing moveable model of trojanized Home windows Telegram executable within the second cluster. |
7916BF7FF4FA9901A0C6030CC28933A143C2285F | WhatsApp.exe | Agent.AEUO | Trojanized model of Home windows WhatsApp installer within the first Home windows cluster. |
B26EC31C9E8D2CC84DF8B771F336F64A12DBD484 | webview_support.dll | Agent.AEUO | Malicious DLL from trojanized WhatsApp within the second Home windows cluster. |
366D12F749B829B436474C9040E8102CEC2AACB4 | improve.xml | Win32/Farfli.DCC | Encrypted malicious payload within the second Home windows cluster. |
A565875EDF33016D8A231682CC4C19FCC43A9A0E | CSLoader.dll | Win32/Farfli.DCC | Shellcode injector within the second Home windows cluster. |
CFD900B77494574A01EA8270194F00E573E80F94 | 1.dll | Win32/Farfli.BLH | Gh0st RAT variant within the second Home windows cluster. |
18DE3283402FE09D2FF6771D85B9DB6FE2B9D05E | telegram.exe | Win64/PSW.Agent.CT | Trojanized model of Home windows Telegram installer within the first cluster. |
Community
Area/IP | First seen | Particulars |
---|---|---|
tevegram[.]com | 2022-07-25 | Distribution web site. |
telegram[.]land | 2021-09-01 | Distribution web site. |
x-telegram[.]app | 2022-04-24 | Distribution web site. |
hao-telegram[.]com | 2022-03-12 | Distribution web site. |
telegram[.]farm | 2021-03-22 | Distribution web site. |
t-telegrm[.]com | 2022-08-29 | Distribution web site. |
telegrmam[.]org | 2022-08-23 | Distribution web site. |
telegramnm[.]org | 2022-08-22 | Distribution web site. |
telegrms[.]com | 2021-12-01 | Distribution web site. |
telegrrom[.]com | 2022-09-09 | Distribution web site. |
telegramxs[.]com | 2022-07-27 | Distribution web site. |
telegcn[.]com | 2022-11-04 | Distribution web site. |
telegram[.]gs | 2022-09-15 | Distribution web site. |
telegram-c[.]com | 2022-08-11 | Distribution web site. |
whotsapp[.]internet | 2022-10-15 | Distribution web site. |
telegron[.]org | 2022-08-10 | Distribution and C&C web site. |
telezzh[.]com | 2022-09-09 | Distribution and C&C web site. |
telegramzn[.]com | 2022-08-22 | Distribution and C&C web site. |
token.jdy[.]me | 2021-10-29 | C&C server. |
telegrom[.]org | 2020-01-02 | C&C server. |
coinfacai[.]com | 2022-06-17 | C&C server. |
add.buchananapp[.]com | 2022-07-18 | C&C server. |
137.220.141[.]13 | 2021-08-15 | C&C server. |
api.oktask88[.]com | 2022-05-09 | C&C server. |
jk.cqbblmy[.]com | 2022-11-09 | C&C server. |
103.212.230[.]41 | 2020-07-04 | C&C server. |
j.pic6005588[.]com | 2022-08-31 | C&C server. |
b.pic447[.]com | 2022-08-06 | C&C server. |
180.215.88[.]227 | 2020-03-18 | C&C server. |
104.233.144[.]130 | 2021-01-13 | C&C server. |
division.microsoftmiddlename[.]tk | 2022-08-06 | Malicious payload distribution web site. |
Attacker wallets
Coin | Pockets handle |
---|---|
Bitcoin | 36uqLsndC2kRJ9xy6PiuAxK3dYmqXw8G93 |
Bitcoin | 3GekkwGi9oCizBAk6Mki2ChdmTD4LRHKAB |
Bitcoin | 35b4KU2NBPVGd8nwB8esTmishqdU2PPUrP |
Bitcoin | 3QtB81hG69yaiHkBCTfPKeZkR8i2yWe8bm |
Bitcoin | 396naR218NHqPGXGbgKzKcXuJD3KDmeLsR |
Bitcoin | 3K1f9uyae9Fox44kZ7AAZ8eJU98jsya86X |
Bitcoin | 1Jp8WCP5hWrvnhgf3uDxn8bHXSqt48XJ5Z |
Bitcoin | 32xFkwSa2U3hE9W3yimShS3dANAbZxxh8w |
Bitcoin | bc1q0syn34f2q4nuwwunaymzhmfcs28j6tm2cq55fw |
Bitcoin | bc1qvtj4z66nv85atkgs4a5veg30dc0jf6p707juns |
Ethereum | 0xc4C47A527FE03E92DCe9578E4578cF4d4605b1E1 |
Ethereum | 0x2097831677A4838A63b4E4E840D1b2Be749FC1ab |
Ethereum | 0x8aE1B343717BD7ba43F0bB2407d5253F9604a481 |
Ethereum | 0x276a84565dcF98b615ff2FB12c42b1E9Caaf7685 |
Ethereum | 0x31bdE5A8Bf959CD0f1d4006c15eE48055ece3A5c |
Ethereum | 0xf7A84aa7F4a70262DFB4384fb9D419c14BC1DD9D |
Ethereum | 0x0EF13Db9Cb63Fb81c58Fb137034dA85DFE6BE020 |
Ethereum | 0x24a308B82227B09529132CA3d40C92756f0859EE |
Ethereum | 0xe99A0a26184392635C5bf1B3C03D68360DE3b1Aa |
Ethereum | 0x59e93c43532BFA239a616c85C59152717273F528 |
Ethereum | 0xF90acFBe580F58f912F557B444bA1bf77053fc03 |
Tron | TX1rZTNB5CdouYpNDRXKBS1XvxVdZ3HrWI |
Tron | TQA7ggPFKo2C22qspbmANCXKzonuXShuaa |
Tron | TTqBt5gUPjEPrPgzmKxskCeyxGWU377YZ8 |
Tron | TQXz8w94zVJxQy3pAaVsAo6nQRpj5chmuG |
Tron | TN1JVt3ix5qwWyNvJy38nspqoJXB2hVjwm |
Tron | TGFXvyTMTAzWZBKqLJUW4esEPb5q8vu2mC |
Tron | TCo4xVY5m7jN2JhMSgVzvf7mKSon92cYxi |
Tron | TYoYxTFbSB93v4fhUSDUVXpniB3Jz7z9WA |
Tron | TSeCVpujFahFS31vBWULwdoJY6DqAaq1Yf |
Tron | TMCqjsKrEMMogeLGPpb9sdMiNZNbQXG8yA |
Tron | TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB |
Tron | TTsWNLiWkYkUXK1bUmpGrNFNuS17cSvwWK |
Binance | bnb1fp4s2w96genwknt548aecag07mucw95a4z4ly0 |
MITRE ATT&CK methods
This desk was constructed utilizing version 12 of the MITRE ATT&CK cellular methods.
Tactic | ID | Title | Description |
---|---|---|---|
Discovery | T1418 | Software program Discovery | Android Clipper can receive an inventory of put in purposes. |
Assortment | T1409 | Saved Utility Knowledge | Android Clipper extracts recordsdata from inner storage of the Telegram app. |
Command and Management | T1437.001 | Utility Layer Protocol: Net Protocols | Android Clipper makes use of HTTP and HTTPS to speak with its C&C server. |
Exfiltration | T1646 | Exfiltration Over C2 Channel | Android Clipper exfiltrates stolen information over its C&C channel. |
Influence | T1641.001 | Knowledge Manipulation: Transmitted Knowledge Manipulation | Android Clipper exchanges cryptocurrency wallets in Telegram communication. |
This desk was constructed utilizing version 12 of the MITRE ATT&CK enterprise methods.
Tactic | ID | Title | Description |
---|---|---|---|
Execution | T1106 | Native API | Trojanized Home windows Telegram makes use of Home windows API perform ShellExecuteExA to execute shell instructions acquired from its C&C. |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Trojanized Home windows Telegram copies itself to the Startup listing for persistence. |
Privilege Escalation | T1134 | Entry Token Manipulation | Trojanized Home windows Telegram adjusts token privileges to allow SeDebugPrivilege. |
Protection Evasion | T1070.001 | Indicator Removing: Clear Home windows Occasion Logs | Trojanized Home windows Telegram is able to deleting occasion logs. |
T1140 | Deobfuscate/Decode Recordsdata or Info | Trojanized Home windows Telegram decrypts and hundreds the RAT DLL into reminiscence. | |
T1574.002 | Hijack Execution Circulation: DLL Facet-Loading | Trojanized Home windows Telegram makes use of legit purposes to carry out DLL side-loading. | |
T1622 | Debugger Evasion | Trojanized Home windows Telegram checks the BeingDebugged flag of PEB to detect whether or not a debugger is current. | |
T1497 | Virtualization/Sandbox Evasion | Trojanized Home windows Telegram identifies execution in digital machine by way of WQL. | |
Credential Entry | T1056.001 | Enter Seize: Keylogging | Trojanized Home windows Telegram has a keylogger. |
Discovery | T1010 | Utility Window Discovery | Trojanized Home windows Telegram is ready to uncover software home windows utilizing EnumWindows. |
T1012 | Question Registry | Trojanized Home windows Telegram can enumerate registry keys. | |
T1057 | Course of Discovery | Trojanized Home windows Telegram can checklist operating processes on the system. | |
T1082 | System Info Discovery | Trojanized Home windows Telegram gathers system structure, processor, OS configuration, and {hardware} data. | |
Assortment | T1113 | Display screen Seize | Trojanized Home windows Telegram captures sufferer’s display. |
T1115 | Clipboard Knowledge | Trojanized Home windows Telegram steals clipboard information from the sufferer. | |
Command and Management | T1071.001 | Utility Layer Protocol: Net Protocols | Trojanized Home windows Telegram makes use of HTTPS to speak with its C&C server. |
T1095 | Non-Utility Layer Protocol | Trojanized Home windows Telegram makes use of encrypted TCP protocol to speak with the C&C. | |
T1105 | Ingress Instrument Switch | Trojanized Home windows Telegram can obtain further recordsdata. | |
T1573 | Encrypted Channel | Trojanized Home windows Telegram encrypts TCP communications. | |
Exfiltration | T1041 | Exfiltration Over C2 Channel | Trojanized Home windows Telegram sends sufferer information to its C&C server. |
Influence | T1529 | System Shutdown/Reboot | Trojanized Home windows Telegram can reboot or shutdown the sufferer’s machine. |
T1565.002 | Knowledge Manipulation: Transmitted Knowledge Manipulation | Trojanized Home windows Telegram swaps cryptocurrency wallets in Telegram communication. | |
T1531 | Account Entry Removing | Trojanized Home windows Telegram removes profiles of generally used browsers to drive victims to log into their net accounts. |