Websites similar to Telegram and WhatsApp distribute malware that steals Cryptocurrency

March 17, 2023In Ravie LakshmanaCryptocurrency / Mobile security

Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions and infect Android and Windows users with crypto-hacking malware.

“These are all after victims’ cryptocurrency funds, targeting various cryptocurrency wallets,” ESET researchers Lukáš Štefanko and Peter Strýček. he said in a new analysis.

Meanwhile The first instance of the Clipper malware Dating back to 2019 on the Google Play Store, the development marks the first time Android-based clipper malware has infiltrated instant messaging apps.

“In addition, some of these apps use optical character recognition (OCR) to recognize text in screenshots stored on compromised devices, which is another first for Android malware,” the Slovakian cybersecurity firm added.

The attack chain causes unsuspecting users to click on fraudulent ads Google search results which leads to hundreds of sketchy YouTube channels, which then redirect them to similar Telegram and WhatsApp sites.

What’s new about the latest batch of Clipper malware is that it is able to intercept victims’ chats and replace sent and received cryptocurrency wallet addresses with addresses controlled by threat actors.

A set of Clipper malware uses OCR to find and steal grow sentences By leveraging a legitimate machine learning plugin called ML Kit on Androidthus making it possible to empty the wallets.

A third cluster is designed to keep tabs on some cryptocurrency-related Chinese keywords in Telegram conversations, either hard-coded or retrieved from a server, and if so, push out the entire message, along with the username, group or channel name. . remote server

Finally, a fourth set of Android cutters has the capabilities to change the wallet address, as well as collect device information and Telegram data such as messages and contacts, among others.

Android APK package names are listed below –

• org.telegram.messenger
• org.telegram.messenger.web2
• org.tgplus.messenger
• io.busniess.va.whatsapp
• com.whatsapp

ESET said it also found two Windows-based clusters, one designed to exchange wallet addresses and a second group that distributes remote access trojans (RATs) instead of cutters to gain control of infected hosts and steal crypto.

All analyzed RAT samples are based on publicly available ones Gh0st RATexcept for one which uses more runtime checks against parsing in its execution and HP-socket library to communicate with its server.

It is also worth noting that these clusters, despite following the same modus operandi, represent a different set of likely activities by different threat actors.

The campaign, similar to a malicious cyber operation that came to light last year, is targeting Chinese-speaking users, mainly because Telegram and WhatsApp are blocked in the country.

“People who want to use these services have to go through indirect ways to get them,” the researchers said. “Not surprisingly, it’s a good opportunity for cybercriminals to abuse the situation.”