A new malware strain named Masad Stealer steals files, browser information, and cryptocurrency wallet data from the affected computers and uses Telegram as a communication channel to send back the data to its masters.
The malware was discovered by the security team at Juniper Threat Labs and they found that the malware is in related to the Qulab Stealer (either as an upgraded version or as a direct predecessor), and that it is developed using Autoit scripts and then compiled as a Windows executable.
The malware is being advertised on hacking forums as a stealer and clipper. It is sold using a tier-based approach, starting with a free version and then as a fully-featured version at the rate of $85.
Masad Stealer’s main distribution vectors pretends to be a legitimate tool or packed themselves into third party tools. The attackers make the users download it by advertising in forums, on third party download sites or on file sharing sites.
The victims can also get infected while installing various software and game cracks, cheats, and aimbots.
After infecting a system, the Masad Stealer starts collecting a large range of data from its victims that includes the system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, browser cookies, usernames, passwords, and credit card information.
The malware can also automatically replace the cryptocurrency wallets like Monero, Bitcoin Cash, Litecoin, Neo, and Web Money from the clipboard with ones provided by its operators.
If the clipboard data matches with any of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary.
The malware has also the ability to create a scheduled task on all Windows devices that it affects which can permit it to restart itself every minute if the victims finds and kill its process.
The information that has been collected are zipped using a 7zip executable bundled within Masad Stealer’s binary, with the archive being exfiltrated to the command and control (C2) server using unique Telegram bot IDs.
Depending on the number of unique Telegram bot IDs and usernames, it is found that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.
Some of the Masad Stealer can also drop other malware strains in the form of executables with modified headers, including cryptominers and other info stealers.
The security team believes that Masad Stealer is an active and ongoing threat. Command and Control bots are still alive and responding and the malware is still available for purchase on the black market.