![]() ![]() The creators of HackBoss didn’t just use the Telegram messenger channel to promote their malware. When it found that format, the malware replaced the wallet with one of its own in an attempt to steal users’ cryptocurrency. ![]() Once active, HackBoss regularly checked the clipboard content for anything resembling a cryptocurrency wallet address. It also led the campaign to trigger the malware every minute using a scheduled task and at startup using a registry key. ![]() Clicking on any of the buttons caused the campaign to decrypt and execute its malicious payload. These fake cracking applications contained a link to an encrypted or anonymous file storage to download the software as a. There, they advertised applications claiming to be “the best software for hackers (hack bank / dating / bitcoin).”īut they never were. The malware actors used a Telegram messenger channel called HackBoss. Become a HackBoss… by Getting Infected Yourself This could be a sign that HackBoss’s handlers used the same cryptocurrency wallet addresses to conduct other campaigns. The security firm found that some of those wallet addresses were also associated with scams designed to trick users into buying fake software. The actual amount stolen by HackBoss could be less, however. Together, those wallets contained a collective total of over $560,000 at the time of analysis. Read on to learn how the HackBoss actors are tricking wanna-be attackers via their own Telegram messenger channel.Īvast found over 100 cryptocurrency wallet addresses belonging to the malware family’s creators. One notable element of this campaign is that it’s targeting people who want to make a buck through sketchy means themselves. Though anyone can look up whether a particular individual is a Telegram user, as the company points out, collecting this information on such a large scale creates a different type of security concern, cataloging the majority of the service's users in addition to targeting a particular few.Digital attackers are leveraging ads on the Telegram messenger app to target cryptocurrency owners with samples of HackBoss malware. The hackers also cast a wider net, though, by using Telegram's API to confirm the phone numbers and usernames of 15 million out of roughly 20 million Iranian Telegram accounts. "The fact that they're going after these individuals shows that this is part of a larger understanding of the opposition environment inside of the country." "The individuals that are targeted are individuals who are human rights activists, they’re opposition figures, they’re individuals tied with people who are currently in jail or under house arrest or these sorts of things," Anderson said. The roughly 12 people directly targeted in this hack were people like that. It is used by activists, journalists, and citizens more broadly to work around stringent government media control. The service has become an important toolfor collecting and disseminating information in Iran. Telegram has about 100 million users worldwide and 20 million in Iran. In the case of the Telegram attacks, the researchers also suggested that SMS messages may have been compromised by Iranian cell phone companies themselves, an industry that also has potential ties to the government. "Their focus generally revolves around those with an interest in Iran and defense issues, but their activity is absolutely global," says John Hultquist, who manages the cyber espionage intelligence team at the security firm FireEye, of Rocket Kitten. There is widespread speculation that Rocket Kitten has ties to the Iranian government. The researchers think the Iranian hacking group Rocket Kitten is behind the Telegram breaches, based on similarities to the infrastructure of past phishing attacks attributed to the group. A hacker with access to someone's text messages can obtain these codes and enter them to add their own devices to the person's account, thus gaining access to their data including chat histories. The texts contain a verification code that Telegram asks people to enter to complete a new device setup. Amnesty International technologist and researcher Claudio Guarnieri and independent security researcher Collin Anderson traced recent Telegram account breaches in Iran to the SMS messages Telegram sends to people when they activate a new device. ![]()
0 Comments
Leave a Reply. |