Cryptocurrency investors beware! A new Trojan Malware has emerged. It is called ‘Masad Clipper and Stealer’. It is an actively distributed malware strain that steals cryptocurrency and collects private passwords as well as credit card information. It also steals files and browser information from infected computers.
The Juniper Threat Labs team discovered this malware. According to them, this new malware is related in some way to the Qulab Stealer. It may be an upgraded version or a direct predecessor. It is developed using Autoit scripts and then compiled as a Windows executable. The team explained that it automatically replaces crypto wallet address that has been copied to the clipboard with its own addresses
The Juniper Threat Labs team says “Masad Stealer sends all of the information it collects [through] a Telegram bot controlled by the threat actor.” This new malware targets Bitcoin, Monero (XMR), Cardano (ADA), Ether (ETH), Dash (DASH), XRP, Litecoin (LTC) and such other cryptocurrencies.
In order to understand the gravity of the threat, process this fact: An address connected to ‘Masad Clipper and Stealer’ has collected Bitcoin worth more than $9000 till date. The malware is being advertised on hacking forums. It is actually being sold through a tiered approach. It starts with a free version and it can be upgraded to one with all features for $85.
According to Juniper, the distribution vectors are operating under a masquerade. It is being promoted as a legitimate tool or is being added to third party tools. Infections are also possible through the download of various software and game cracks, cheats, and aimbots. Once a computer is infected, the malware can collect system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, browser cookies, usernames, passwords, and credit card information.
The Malware can replace Monero, Bitcoin Cash, Litecoin, Neo, and cryptocurrency wallet address from the clipboard with ones provided by its operators. According to the Juniper Threat Labs team,
“If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in it’s binary”.
If the victims of the malware find it and try to kill its process, it won’t be of any use. It creates a scheduled task on Windows that will allow it to restart every minute.
The information that is harvested gets zipped using a 7zip executable. It is bundled in Masad Clipper and Stealer’s binary. The archive is exfiltrated to the command and control (C2) server using unique Telegram bot IDs. According to Juniper, there are least 18 threat actors or campaigns actively targeting potential victims with the Masad Clipper and Stealer.
The malware is available for sale in the Black Market and is an active threat that cryptocurrency enthusiasts need to be aware of. Further information on Masad Clipper and Stealer are available on the Juniper forum.