• Harmeen

Spyware Replaces Crypto Wallets using Telegram, Threatens 200 Million Users

Juniper Threat Labs, An American Internet infrastructure firm has found a new Trojan-delivered spyware, which replaces crypto wallets on clipboard using Telegram bots. In Short, the new spyware uses Telegram app to replace crypto addresses with its own.

Trojan-delivered Masad Stealer and Clipper

A new kind of spyware, which is designed to steal the important & sensitive information from the users belonging to messaging app Telegram, is in existence now. It's available for sale on the 'black market forums' and pointing out to the security of the crypto wallets. An American internet infrastructure firm and a threat intelligence portal named Juniper Threat Labs, has found a new Trojan-delivered malware impacting the Telegram's 200 million users. The Researchers at Juniper Networks (NYSE: JNPR), identified Trojan-delivered "Masad Stealer and Clipper", which is impacting major global messaging app Telegram via stealing the confidential information. It's all discussed in detail, according to threat research released on Sept. 26, 2019.

How dangerous can this Trojan-delivered malware be?

If we say personal details like browsing data, important documents, online saved files, browser autofill passwords, cryptocurrency exchange/wallets passwords along with usernames and, even credit/debit card information are not secure now? Then, how will you react? OMG! Seriously!

Yes! It's surely shocking to read that! The new spyware which is circulating under the name “Masad Clipper and Stealer”, is capable of stealing your personal information like we've mentioned above.

Apart from the personal details, The malware also has a function of replacing the elements, which easily replaces cryptocurrency wallets from the clipboards. Report includes the name of the cryptocurrencies even Bitcoin (BTC), where the spyware's clipping. Not only with BTC, there are a Number of major cryptocurrencies in the list like Ethereum (ETH), XRP (Previously known as Ripple), and Litecoin (LTC).

Below is a list of coins/wallet it tries to clip:

Image Source -

How these Ongoing Threat Signals process?

Talking about the functionality, the malware uses Command and Control (CnC) channel on Telegram. It allows the malware, which is written using Autoit scripts and then compiled into a Windows executable, some anonymity.

Just after the complete installation, the particular malware Masad Stealer starts to collect the sensitive and protective information from the system like crypto wallet addresses, browser data having credit card credentials, autofill browser field data, PC, Laptop, desktop files, FileZilla files, steam files, browser cookies, and system information.

Then after, Masad Stealer sends all collected information to a Telegram bot managed by the threat actor, which also sends commands to the spyware, According to Jupiter Threat Labs Reports.

Even at the time of publication, The security portal concluded that Masad Stealer is an active and ongoing threat Command and Control bots were still alive.

Researchers at Juniper said:

"Masad Stealer sends all of the information it collects—and receives commands from—a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers."