In a new campaign on Telegram, threat actors distribute cryptocurrency-stealing malware to newbie cybercriminals presenting it as free malicious applications.
Avast researchers say the malware operators have likely stolen over $500,000 from wannabe hackers.
Named HackBoss by Avast researchers, is not particularly sophisticated, but the scheme is effective in luring victims with promises of free hacking tools. The tools are mostly for brute-forcing passwords for banking, dating, and social media accounts.
HackBoss comes packed in a .ZIP file and contains an executable that launches a simple user interface. The UI’s end purpose is to install cryptocurrency-stealing malware on the victim’s system which the victim triggers by clicking any button in the malware’s interface.
HackBoss establishes persistence on the compromised system by adding a registry key that adds it to startup items or a scheduled task to run the payload every minute.
“The malicious payload keeps running on the victim’s computer even after the application’s UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute,” Avast said.
The malware’s main function is checking the clipboard for a cryptocurrency wallet address and replacing it with the attacker’s one. Most likely the victim will not check the address before hitting the pay button and won’t notice the wrong address.
Malware authors distribute HackBoss in Telegram posts that have a bogus description trying to make the offer legitimate and attractive. There have been about nine posts per month on average and the HackBoss channel has over 2,800 subscribers. Attackers also distribute the malware on a blog cranhan.blogspot[.]com and in ads on public forums and discussions.
Avast researchers said they found over 100 cryptocurrency wallet addresses associated with the HackBoss. The addresses received over $560,000 since November 2018.