CHARLOTTESVILLE, Va. – SafeGuard Cyber, the leading provider of security and compliance solutions for today’s email and communication-based threats, has discovered a new information stealer targeting cryptocurrency investors in Telegram.
SafeGuard Cyber’s multi-channel SaaS-based protection platform, which utilizes natural language understanding (NLU) and machine learning technologies to detect and prevent threats across 30 digital communication platforms, first identified the new malware sample in June. The Trojan, which was hidden inside an image file, was detected immediately after it was posted in a public cryptocurrency Telegram channel used by investors and enthusiasts.
“This malware was intended to target new or unsuspecting users of the Telegram channel, with the goal of stealing their cryptocurrency wallet keys,” said Storm Swendsboe, Director of Threat Intelligence of SafeGuard Cyber. “The Trojan also has backdoor capabilities, which could potentially be used to update or add new features to it, thereby enhancing or expanding its malicious uses in the future.”
Key highlights of the new crypto-stealing Trojan:
- The Trojan has backdoor functions as well as data stealing functions.
- It creates hidden copies of the victim’s private and public key store in order to steal cryptocurrency.
- It also beacons the attacker to confirm the connection is active, suggesting a Command-and-Control (C2) infrastructure.
- This malware hides itself as an operating system file on the victim’s machine.
- When deployed in Telegram, the specific sample SafeGuard Cyber analyzed was concealed in an image file to avoid detection. The lure for this malware appears to be spamming images until a victim inadvertently clicks on the attachment.
“Threat actors are increasingly using Telegram and other digital communication platforms to spread malware and compromise victims,” said Otavio Freire, President and CTO of SafeGuard Cyber. “This poses an even larger threat than cryptocurrency theft. Once a Trojan infects an employee’s device, the attacker can then use it to spread laterally within the company or organization. As companies have shifted to cloud-based platforms and hybrid workplaces, employees are utilizing a growing number of diverse digital channels to communicate, nearly all of which are unmonitored by traditional security solutions. This has created an enormous blind spot for businesses and an ideal opportunity for threat actors.”
SafeGuard Cyber detects attacks and identifies risk by understanding how humans interact and communicate. The company’s NLU-based SaaS platform offers the industry’s most advanced visibility and detection of phishing, account takeover, impersonation, BEC, insider threats and malware attacks that span the full range of modern business communications channels, including social media, collaboration, mobile messaging, conferencing, CRM and the Microsoft 365 ecosystem.
Source: SafeGuard Cyber