Telegram Used to Steal Crypto-Wallet Credentials!

Attackers use the Telegram handle “Smokes Night” to spread the malicious Echelon info stealer, which steals credentials for cryptocurrency & other user accounts, researchers have announced.

They are targeting crypto-wallets of Telegram users with the Echelon info stealer, in an effort aimed at defrauding new or unsuspecting users of a cryptocurrency discussion channel on the messaging platform, researchers have found.

Multiple Platforms

Researchers at the SafeGuard Cyber’s Division Seven threat analysis unit detected a sample of Echelon posted to a Telegram channel focused on cryptocurrency in Oct., they stated in an analysis on Thurs.

The malware used in the campaign aims to steal credentials from multiple messaging & file-sharing platforms, including Discord, Edge, FileZilla, OpenVPN, Outlook & even Telegram itself, as well as from a number of cryptocurrency wallets, including Atomic Wallet, Bitcoin Core, ByteCoin, Exodus, Jaxx & Monero.

New or Naïve Users

The campaign was a  broad effort: “Based on the malware & the manner in which it was posted, SafeGuard Cyber believes that it was not part of a co-ordinated campaign & was simply targeting new or naïve users of the channel,” according to the report.

Attackers used the title “Smokes Night” to distribute Echelon on the channel, but it is not clear how successful it was, researchers found. “The post did not appear to be a response to any of the surrounding messages in the channel,” they wrote.

‘Smokes Night’

Other users on the channel did not appear to notice anything suspicious or engage with the message, they explained. However, this does not mean that the malware did not reach users’ devices, researchers wrote.

“We did not see anyone respond to ‘Smokes Night’ or complain about the file, though this does not prove that users of the channel did not get infected,” they wrote.

The Telegram messaging app indeed has become a centre of activity for cyber-criminals, who have capitalised on its popularity & broad attack surface by using bots, malicious accounts & other means to distribute malware on the platform.

Malware Analysis

Attackers delivered Echelon to the cryptocurrency channel in an .RAR file titled “present).rar” that included 3 files: “pass – 123.txt,” a benign text document containing a password; “DotNetZip.dll,” a non-malicious class library & toolset for manipulating .ZIP files; and “Present.exe,” the malicious executable for the Echelon credential stealer.

The payload, written in .NET, also included several features that made it difficult to detect or analyse, including 2 anti-debugging functions that immediately terminate the process if a debugger or other malware analysis tools are detected, & obfuscation using the open-source ConfuserEx tool.

Interpret the Code

Researchers eventually managed to interpret the code & examine the Echelon sample delivered to users of the Telegram channel.

They found that it contains domain detection, which means the sample also will attempt to steal data regarding any domain that the victim has visited, researchers wrote.

A full list of platforms the Echelon sample attempted to target are included in the report.

Computer Fingerprinting

Other features of the malware include computer fingerprinting, as well the ability to take a screenshot of the victim’s machine, researchers wrote.

The Echlon sample lifted from the campaign sends credentials & other stolen data & screenshots back to a command-&-control server using a compressed .ZIP file, they outlined.

Fortunately, Windows Defender detects & deletes the Present.exe malicious executable sample & alerts it as ‘#LowFI:HookwowLow, mitigating any potential damage from Echelon for users with the antivirus software installed, researchers concluded.