The New Masad Stealer and Clippper Targets Cryptocurrency Investors

Masad Stealer and Clipper

To say that cryptocurrency investors have been on a wild ride over the last few years would be an understatement. What was once hailed as the money of the future has proven to be quite unstable, and the market's volatility has driven many people away from the concept of owning digital money. The trade is still going, though, and there are quite a few cybercriminals willing to get a piece of the action as well. The creators of the Masad Stealer and Clipper, for example, have come up with a few interesting ways of (among other things) stealing unsuspecting users' digital coins.

Researchers from Juniper Threat Labs were the first to analyze and comment on the malware last week. They didn't say when they spotted Masad for the first time, but they did note that in total, they have seen more than 1,000 samples used in approximately 340 separate campaigns.

Masad – a powerful information-stealing malware that anyone can buy

Of course, not all these campaigns are run by the same group of criminals. Masad is actually an off-the-shelf malware that wannabe cybercrooks with a few coins in their pockets can go and buy. There's even a free version, though according to the experts, it comes with limited functionality. The full bells-and-whistles variant is quite powerful, it costs $85, and potential customers can get it through a Telegram group which, when Juniper's experts checked, had just over 300 active users in it.

How Masad works

The same group chat is also used for technical support, and the fact that the crooks picked this particular application for communicating with its customers probably shouldn't be that surprising. The malware itself uses the encrypted chat service as a Command & Control (C&C) channel, which means that it's less likely to be spotted because the Telegram protocol is used for completely legitimate purposes by over 200 million people.

Depending on the campaign, users can find Masad either as a standalone file or bundled with other applications. The experts have seen it trying to impersonate system optimization tools like CCleaner, Windows built-in utilities, as well as cracking programs for video games and paid software.

After execution, Masad drops itself in the %AppData% folder and establishes persistence with the help of a scheduled task which runs it once every sixty seconds. Then, the information collection operation starts.

When the researchers ran Masad in their sandbox, the malware didn't manage to steal all that much. Some system data was saved in a TXT file, the browser cookies and the desktop files were organized in two separate folders, and all this, along with a screenshot of whatever the victim was seeing, was automatically put in a 7Z archive and prepared to be sent to a Telegram bot controlled by the operators.

When they examined the malware's code, however, the experts saw that Masad is capable of stealing a whole lot more. The malware can collect and exfiltrate anything from Steam files, through all sorts of cryptocurrency wallets, to passwords and credit cards saved with web browsers. Monetizing on all that data could be rather lucrative, but just to be sure, Masad's creators have added another trick which can help them net even more crypto coins.

The malware is designed to constantly monitor the infected device's clipboard. If it thinks that the victim has copied a cryptocurrency address, Masad automatically swaps it with an address that the malware's authors have previously hardcoded into the malware. That way, if the user doesn't spot the different address when they paste it in the intended field, the cryptocurrency is redirected to a wallet controlled by the crooks.

It's an interesting tactic that seems to be rather effective. Juniper's researchers examined a wallet used during one of the campaigns and saw that as of September 15, it had already received more than $9,000, though they did point out that there's no way of knowing if the full amount is the result of the Masad campaign.

Whatever the case, Masad is clearly a formidable threat not just to cryptocurrency investors, but to everyone. As always, protecting yourself against it involves downloading only legitimate software from legitimate sources and keeping a system that's well protected and completely patched-up.

September 30, 2019