Masad Clipper and Stealer
Security researchers from Juniper Threat Labs have discovered
The off-the-shelf malware is being shared on black market forums. The malware is initially provided as a free version, but other versions with additional functionality are sold for up to $85. Every tier of the malware has distinct features that may appeal to hackers and cybercriminals that are trying to make more money quickly.
Masad malware is being deployed by numerous threat actors. Since Masad is an off-the-shelf malware, such threat actors might not even be the initial malware coders.
The Telegram instant messaging service is being utilized as a command and control (C2) channel for the malware to supply anonymity to the operators.
Masad searches for sensitive information through the web browser, including cryptocurrency wallets, browser cookies, desktop files, credit card information, passwords, system information, autofill browser fields, and installed software and processes.
Furthermore, the malware zips such valuable information into a file with 7zip utility, which is packaged with the malware binary.
A unique feature of the Masad malware includes the ability to examine the system clipboard to search for information that matches the configuration of particular cryptocurrency wallets.
In the event that a match is discovered then the malware will proceed to replace the clipboard data, that specific crypto wallet, with a wallet address that belongs to the threat actor which is already incorporated into the malware binary.
In addition to Bitcoin, Masad will search for other cryptocurrencies including Monero (XMR), Ripple (XRP), Dash (DASH), Ethereum (ETH), Cardano (ADA), and Litecoin (LTC) and replace the cryptocurrency wallet addresses copied to the clipboard with its own address to transfer wallet users’ funds to the attacker’s address.
The primary method that Masad utilizes as a distribution vector is posing as a legitimate application or occasionally bundling the malware executables into third-party tools to deceive the unaware victim. Such malicious downloads are advertised publicly on third party websites, file-sharing sites, and forums to lure potential victims.
The Bitcoin address connected to the malware holds more than $9,000 worth of Bitcoins.