Lookalike Telegram and WhatsApp Websites Distributing Cryptocurrency Stealing Malware

Mar
17,
2023Ravie
LakshmananCryptocurrency
/
Mobile
Security

Copycat
websites
for
instant
messaging
apps
like
Telegram
and
WhatApp
are
being
used
to
distribute
trojanized
versions
and
infect
Android
and
Windows
users
with
cryptocurrency

clipper
malware.

“All
of
them
are
after
victims’
cryptocurrency
funds,
with
several
targeting
cryptocurrency
wallets,”
ESET
researchers
Lukáš
Štefanko
and
Peter
Strýček

said
in
a
new
analysis.

While
the

first
instance
of
clipper
malware
on
the
Google
Play
Store
dates
back
to
2019,
the
development
marks
the
first
time
Android-based
clipper
malware
has
been
built
into
instant
messaging
apps.

“Moreover,
some
of
these
apps
use
optical
character
recognition
(OCR)
to
recognize
text
from
screenshots
stored
on
the
compromised
devices,
which
is
another
first
for
Android
malware.”

The
attack
chain
begins
with
unsuspecting
users
clicking
on
fraudulent
ads
on
Google
search
results
that
lead
to
hundreds
of
sketchy
YouTube
channels,
which
then
direct
them
to
lookalike
Telegram
and
WhatsApp
websites.

What’s
novel
about
the
latest
batch
of
clipper
malware
is
that
it’s
capable
of
intercepting
a
victim’s
chats
and
replacing
any
sent
and
received
cryptocurrency
wallet
addresses
with
addresses
controlled
by
the
threat
actors.

Another
cluster
of
clipper
malware
makes
use
of
OCR
to
find
and
steal

seed
phrases
by
leveraging
a
legitimate
machine
learning
plugin
called

ML
Kit
on
Android,
thereby
making
it
possible
to
empty
the
wallets.

A
third
cluster
is
designed
to
keep
tabs
on
Telegram
conversations
for
certain
Chinese
keywords,
both
hard-coded
and
received
from
a
server,
related
to
cryptocurrencies,
and
if
so,
exfiltrate
the
complete
message,
along
with
the
username,
group
or
channel
name,
to
a
remote
server.

Lastly,
a
fourth
set
of
Android
clippers
come
with
capabilities
to
switch
the
wallet
address
as
well
as
harvest
device
information
and
Telegram
data
such
as
messages
and
contacts.

The
rogue
Android
APK
package
names
are
listed
below
–

• org.telegram.messenger
• org.telegram.messenger.web2
• org.tgplus.messenger
• io.busniess.va.whatsapp
• com.whatsapp

ESET
said
it
also
found
two
Windows
clusters,
one
which
is
engineered
to
swap
wallet
addresses
and
a
second
group
that
distributes
remote
access
trojans
(RATs)
in
place
of
clippers
to
gain
control
of
infected
hosts
and
perpetrate
crypto
theft.

All
the
analyzed
RAT
samples
are
based
on
the
publicly
available

Gh0st
RAT,
barring
one,
which
employs
more
anti-analysis
runtime
checks
during
its
execution
and
uses
the

HP-socket
library
to
communicate
with
its
server.

It’s
also
worth
pointing
out
that
these
clusters,
despite
following
a
similar
modus
operandi,
represent
disparate
sets
of
activity
likely
developed
by
different
threat
actors.

The
campaign,
like
a

similar
malicious
cyber
operation
that
came
to
light
last
year,
is
geared
towards
Chinese-speaking
users,
primarily
motivated
by
the
fact
that
both
Telegram
and
WhatsApp
are
blocked
in
the
country.

“People
who
wish
to
use
these
services
have
to
resort
to
indirect
means
of
obtaining
them,”
the
researchers
said.
“Unsurprisingly,
this
constitutes
a
ripe
opportunity
for
cybercriminals
to
abuse
the
situation.”