According to researchers, attackers are spreading the harmful Echelon info stealer, which steals credentials for cryptocurrencies and other user accounts, using the Telegram handle "Smokes Night."
Attackers are employing the Echelon info stealer to target Telegram users' crypto-wallets in an attempt to swindle new or naïve users of a cryptocurrency discussion channel on the messaging network, according to researchers.
According to an inquiry posted on Thursday, researchers from SafeGuard Cyber's Division Seven hazard analysis section identified a sample of Echelon in a cryptocurrency-focused Telegram chat in October.
The malware used in the campaign is set to rob certificates from a variety of messaging and file-sharing platforms, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as cryptocurrency wallets, such as AtomicWallet, BitcoinCore, and ByteCoin.
The effort was a "spray and pray" operation, according to the report: "Based on the malware and the way in which it was released, SafeGuard Cyber believes it was not part of a coordinated campaign and was merely targeting new or inexperienced users of the channel."
Researchers decided that assailants tried to spread Echelon on the channel utilizing the handle "Smokes Night," although it's unclear how effective they were.
"The post seemed not to be a reaction to any of the surrounding posts in the channel," they stated.
Other users on the track, they assert, did not seem to detect anything strange or respond to the message. According to the researchers, this does not mean that the malware did not reach consumers' devices.
"We did not notice anyone answer to 'Smoke Night' or whine about the file," they said, "but this does not rule out the possibility that channel members were infected."
Cybercriminals have taken advantage of Telegram's popularity and large attack surface by distributing malware on the platform via bots, rogue accounts, and other methods.
The Echelon credential thief was furnished to the cryptocurrency channel via a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document containing a password; "DotNetZip.dll," a non-hostile type library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer.
The.NET payload also contains obfuscation utilizing the open-source ConfuserEx program, as well as two anti-debugging capabilities that promptly terminate the process if a debugger or other malware analysis tools are identified.
Researchers were able to decode the code and look inside the Echelon sample that was sent to Telegram channel subscribers. According to the researchers, they identified domain detection, which implies the sample would try to steal data from any domain that the victim has visited. A detailed list of platforms that the Echelon sample attempted to target is included in the report.
Other aspects of the malware, according to the researchers, include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon model used in the campaign transmits credentials, other stolen data, and screenshots back to a command-and-control server through a compressed.ZIP file.
According to the researchers, Windows Defender detects and deletes the Present.exe malicious executable sample and flags it as '#LowFI: HookwowLow,' protecting users who have the antivirus program from any potential Echelon damage.
For years, Airzero Sec's Cyber Security Consulting experts have worked on a variety of projects for a number of well-known organizations. Use our previous experience to your advantage, whether it's to help you get there or to perform technical tests. If you have any doubts about telegram being used to steal passwords of bitcoin wallets, please contact us. Airzero sec will be your digital partner.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/