Avast experts have discovered a malware that steals the cryptocurrency HackBoss, which spreads via Telegram under the mask of a free tool for beginner hackers.
The creators of HackBoss have already stolen more than $500,000 from “novice hackers” who fell for this trick.
Basically, HackBoss disguises itself as free hacking tools: most often, it is the selection of passwords from bank accounts, dating sites and social networks. At the same time, each ad post is accompanied by a detailed description of the fake to make the offer look believable. However, that does not stop the crooks from disguising it more legit tools – for example, VulkanRT libraries.
The Telegram channel HackBoss publishes about nine such messages every month, each with more than 1,300 views, and the number of channel subscribers already exceeds 2,800 people (according to Telemetrio).
The malware is packaged in a .ZIP archive with an executable file inside that launches a simple user interface. Regardless of the available options, the only purpose of the malware is to decrypt and launch malware in the victim’s system to steal cryptocurrency. This happens when you press any button on the fake interface. It can also ensure the stable presence of HackBoss in the system: for this, changes are made to the registry or a scheduled task is added that runs a payload every minute.
“If a malicious process is completed (for example, using the Task Manager), it can start again at system startup or a scheduled task the next minute”, — the experts write.
The functionality of the malware is simple: it checks the clipboard and looks for data from cryptocurrency wallets there, then replacing them with wallets belonging to the cybercriminals. Thus, if the victim makes a payment in cryptocurrency and copies the recipient’s wallet, HackBoss replaces it in the buffer, since rare users check this line before clicking the payment button.
Avast analysts managed to find over 100 cryptocurrency wallet addresses linked by HackBoss, to which more than $ 560,000 in various cryptocurrencies have been transferred since November 2018. It is reported that not all funds were mined by malware to steal cryptocurrency, since some wallets were linked to another scam in which victims bought various fake software.
The researchers write that the authors of HackBoss are promoting their fake hacking tools outside of Telegram, although the messenger remains the main distribution channel. For example, hackers have a blog (cranhan.blogspot [.] Com) where fake tools are advertised and promo videos are published, and malware is advertised on public forums.
A complete list of indicators of compromise is available on the company’s GitHub page.
Let me also remind you, in case you are interested, that LockBit malware operator says Russia is the best country for cybercriminals.
