SafeGuard Cyber Blog

Crypto Theft Malware in Telegram Channel | SafeGuard Cyber

Written by Michael Tobey | Jul 12, 2022 10:00:00 AM
Target:
Cryptocurrency traders and firms
Communication Channels:
Mobile Chat Groups

Executive Summary

SafeGuard Cyber detected a remote access trojan (RAT) posted to a Telegram discussion channel in June 2022.

It is unknown if it was part of a coordinated campaign, or if it was simply mass targeting users of the channel.

Background

In June 2022, SafeGuard Cyber detected a Trojan posted in a public crypto Telegram channel that we monitor as part of our work with our financial service customers. We analyzed and identified the malware sample as a generic Trojan and reviewed the messages surrounding the post.

Event Analysis

SafeGuard Cyber believes this Trojan was meant to target new or unsuspecting users of the channel and is used to steal cryptocurrency keys.

  • The handle “港島輝達資本” (Chinese for “Hong Kong Island Huida Capital”) and the handle “Your Grace” were used on the channel to attempt to spread the malware.
  • The handle “Your Grace” was seen attempting to post an archive file containing the malware, but no further messaging was seen from the handle.
  • The handle “港島輝達資本” posted many messages, including various image files, and one of them appeared to be the malware. The lure appears to be spamming images until a victim inadvertently clicks on the attachment.
  • The “港島輝達資本” handle was seen having routine conversations within the channel.
  • The post did not appear to be a response to any of the surrounding messages in the channel.

We did not find that anyone responded to either handle or complain about the file, though this does not prove that users of the channel did not get infected.

Malware Summary

After execution, a command prompt window is displayed and what appears to be an error window appears with indiscernible text. After the user hits ‘enter’ in the command prompt window, it pings the localhost. The program then exits and the application removes itself from the desktop and runs as “Skc3sk.exe”. It also makes a copy in the SYSWoW64 folder and tries to hide itself as an operating system file. The task “Skc3sk.exe” runs persistently in the background. It’s assumed that the callout and ping command is meant to beacon the attacker that the connection is active.

The malware also appears to create hidden copies of the victims’ private and public key store. Since this malware was detected in a cryptocurrency platform, it can be assumed that this malware is targeting victim keys used for cryptocurrency. In addition, since the method used to hide the additional program was dropped in the SYSWOW64 folder, it can mean that this malware could be used as a backdoor.

No further activity was found regarding this sample.

Technical Details

Filename:
#01.exe

File Creation Date:
May 8 2022

Hashes:
MD5: 26f9be65373c00e14f21e90a53b23f36
SHA1: 3ec0a7cd02ed8a3575ea02fce967e6047015505b
SHA256: 40c7f0ef1fe74c46cb486b2fb026a547fafd93507ddf0cf0919fdd150c68929a

Disposition:
Malicious - Trojan

Dropped Files:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\private_keys\msedgewin10.pem
C:\ProgramData\PuppetLabs\puppet\etc\ssl\public_keys\msedgewin10.pem
C:\Users\All Users\PuppetLabs\puppet\etc\ssl\private_keys\msedgewin10.pem
C:\Users\All Users\PuppetLabs\puppet\etc\ssl\public_keys\msedgewin10.pem
C:\Windows\SysWOW64\Skc3sk.exe

Persistence:
This sample does not establish persistence

Network Traffic:
202.95.15.26:8520

Skc3sk.exe

Hashes:
MD5: 4d104eed48acba38f9b6544820a00407
SHA-1: 8abde557a32b022341153b52288cdcb7ef8c55e4
SHA-256:25a604e9ead508d18b50f379d26b3a2edfd7c395f8fc4298f8fddb4037b332e6

IOCs
– MD5 Hash: 26f9be65373c00e14f21e90a53b23f36
– MD5 Hash: 4d104eed48acba38f9b6544820a00407
– IP: 202.95.15.26:8520

Key Takeaways

  • This attack didn’t appear to be targeted directly at a particular user and was just trying to lure a user to inadvertently download the malware.
  • SafeGuard Cyber believes that the attacker was attempting to mask the malicious file as an image document.
  • The Trojan has backdoor functions as well as data stealing functions targeting cryptocurrency authentication tokens on the victims machine

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.