Digital attackers exploit advertisements on the Telegram messaging app to target cryptocurrency owners with HackBoss malware samples. A notable element of this campaign is that it targets people who want to earn money themselves through sketchy means. Read on to find out how the HackBoss players trick potential attackers through their own Telegram messaging channel.
Avast found over 100 cryptocurrency wallet addresses belonging to the creators of the malware family. Together, these portfolios contained a collective total of over $ 560,000 at the time of analysis.
However, the actual amount stolen by HackBoss could be less. The security company discovered that some of these wallet addresses were also associated with scams designed to trick users into buying bogus software. This could be a sign that the managers at HackBoss used the same cryptocurrency wallet addresses to run other campaigns.
Become a HackBoss … by infecting yourself
The malware actors used a Telegram messaging channel called HackBoss. There they advertised apps claiming to be “the best software for hackers (hack bank / dating / bitcoin)”.
But they never have been. These cracking bogus apps contained a link to encrypted or anonymous file storage to download the software as a .zip file. When opened, the file executed an .exe which displayed a simple interface. By clicking on one of the buttons, the campaign decrypted and executed its malicious payload. He also led the campaign to trigger the malware every minute using a scheduled task and on startup using a registry key.
Once active, HackBoss would regularly check the contents of the clipboard for anything that looked like a cryptocurrency wallet address. When it found this format, the malware replaced the wallet with one of its own in an attempt to steal users’ cryptocurrency.
The creators of HackBoss didn’t just use the Telegram email channel to promote their malware. They also relied on a website with promotional blog posts, YouTube channels with promotional videos, and advertisements on public forums and other websites.
Not the only threat involving Telegram Messenger
HackBoss wasn’t the only malware campaign that recently involved Telegram. In October 2020, for example, G data software wrote that attackers could control a new threat called T-RAT 2.0 using text commands on the Telegram messenger. This malware allowed anyone who controlled it to steal passwords, cope with cryptocurrency using information from the clipboard, and capture screenshots.
Some months later, malicious advertising led users to a fake Windows desktop version of Telegram. The cloned Telegram email websites ultimately led the campaign to drop samples of the AZORult infostealer.
In April Checkpoint search discovered ToxicEye, a remote access Trojan. Digital attackers relied on phishing emails to distribute a malicious .exe file. Once activated, the malware stole data, deleted files and / or encrypted data.
How to defend against malware like HackBoss
Attacks like this underscore the need for organizations and users to exercise caution when it comes to cryptocurrency. As part of this effort, they need to confirm the address of the wallet they are sending money to. They may also consider implementing multi-factor authentication (MFA) to prevent attackers from stealing access to their accounts.