Cryptocurrency traders and firms
Mobile Chat Groups
SafeGuard Cyber detected a remote access trojan (RAT) posted to a Telegram discussion channel in June 2022.
It is unknown if it was part of a coordinated campaign, or if it was simply mass targeting users of the channel.
In June 2022, SafeGuard Cyber detected a Trojan posted in a public crypto Telegram channel that we monitor as part of our work with our financial service customers. We analyzed and identified the malware sample as a generic Trojan and reviewed the messages surrounding the post.
SafeGuard Cyber believes this Trojan was meant to target new or unsuspecting users of the channel and is used to steal cryptocurrency keys.
- The handle “港島輝達資本” (Chinese for “Hong Kong Island Huida Capital”) and the handle “Your Grace” were used on the channel to attempt to spread the malware.
- The handle “Your Grace” was seen attempting to post an archive file containing the malware, but no further messaging was seen from the handle.
- The handle “港島輝達資本” posted many messages, including various image files, and one of them appeared to be the malware. The lure appears to be spamming images until a victim inadvertently clicks on the attachment.
- The “港島輝達資本” handle was seen having routine conversations within the channel.
- The post did not appear to be a response to any of the surrounding messages in the channel.
We did not find that anyone responded to either handle or complain about the file, though this does not prove that users of the channel did not get infected.
After execution, a command prompt window is displayed and what appears to be an error window appears with indiscernible text. After the user hits ‘enter’ in the command prompt window, it pings the localhost. The program then exits and the application removes itself from the desktop and runs as “Skc3sk.exe”. It also makes a copy in the SYSWoW64 folder and tries to hide itself as an operating system file. The task “Skc3sk.exe” runs persistently in the background. It’s assumed that the callout and ping command is meant to beacon the attacker that the connection is active.
The malware also appears to create hidden copies of the victims’ private and public key store. Since this malware was detected in a cryptocurrency platform, it can be assumed that this malware is targeting victim keys used for cryptocurrency. In addition, since the method used to hide the additional program was dropped in the SYSWOW64 folder, it can mean that this malware could be used as a backdoor.
No further activity was found regarding this sample.
File Creation Date:
May 8 2022
Malicious - Trojan
This sample does not establish persistence
– MD5 Hash: 26f9be65373c00e14f21e90a53b23f36
– MD5 Hash: 4d104eed48acba38f9b6544820a00407
– IP: 22.214.171.124:8520
- This attack didn’t appear to be targeted directly at a particular user and was just trying to lure a user to inadvertently download the malware.
- SafeGuard Cyber believes that the attacker was attempting to mask the malicious file as an image document.
- The Trojan has backdoor functions as well as data stealing functions targeting cryptocurrency authentication tokens on the victims machine
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.