Researchers discovered that cybercriminals are using the Echelon info stealer to attack the crypto-wallets of Telegram users in an attempt to deceive new or naïve members of a cryptocurrency discussion group on the messaging network.
Researchers from SafeGuard Cyber's Division Seven threat analysis section discovered a sample of Echelon in a cryptocurrency-focused Telegram channel in October, according to an investigation published on Thursday.
The malware used throughout the campaign is designed to exploit credentials from a variety of messaging and file-sharing channels, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as a variety of cryptocurrency wallets, which include AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero.
The campaign was a “spray and pray” effort: “Based on the malware and how it was posted, SafeGuard Cyber believes that it was not part of a coordinated campaign, and was simply targeting new or naïve users of the channel,” according to the report.
Researchers discovered that attackers had been using the handle "Smokes Night" to disseminate Echelon on the channel, although it's unknown how successful they were. "The post did not appear to be a response to any of the surrounding messages in the channel," they added.
According to the researchers, additional users on the channel didn't even appear to detect anything strange or engage with the post. However, this does not imply that the malware did not reach consumers' devices, according to the experts.
“We did not see anyone respond to ‘Smokes Night’ or complain about the file, though this does not prove that users of the channel did not get infected,” they wrote.
The Telegram messaging platform has undoubtedly become a hotspot of activity for hackers, who've already taken advantage of its popularity and large attack surface by distributing malware on the network via bots, rogue accounts, and other methods.
Echelon was delivered to the cryptocurrency channel in the form of a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document comprising a password; "DotNetZip.dll," a non-malicious class library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer.
The.NET payload also featured numerous characteristics that made it hard to identify or analyze, such as two anti-debugging capabilities that immediately terminate the process if a debugger or other malware analysis techniques are identified, and obfuscation utilizing the open-source ConfuserEx program.
According to the researchers, additional characteristics of the malware include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon sample taken from the campaign uses a compressed.ZIP file to deliver passwords as well as other stolen data and screenshots back to a command-and-control server.
