A new Trojan-delivered spyware, identified on black market forums as the “Masad Clipper and Stealer,” is stealing cryptocurrency, private passwords and credit card information.
The malware, discovered by Juniper Threat Labs, automatically replaces crypto wallet addresses copied to the clipboard with its own address in order to steal users’ funds.
Juniper’s blog post explains,
“Masad Stealer sends all of the information it collects [through] a Telegram bot controlled by the threat actor…. Because Masad is being sold as off-the-shelf malware, it will [most likely] be deployed by multiple threat actors.”
The malware works on the Windows operating system and targets wallet addresses if they match a list of coins.
Juniper’s researchers have found that Masad Stealer can replace Bitcoin, Monero (XMR), Cardano (ADA), Ether (ETH), Dash (DASH), XRP, Litecoin (LTC), and several other cryptocurrency addresses in order to transfer users’ funds to the hacker’s address.
So far, Juniper says the Bitcoin address connected to the malware contains more than $9,000 worth of BTC.
After the malware installs itself on victims’ computers, it begins trying to steal personal information including users’ crypto wallet addresses and credit card information, as well as general PC and system info.
The malicious program also tries to gather users’ Discord and Telegram data.
Masad Stealer then compresses all the files and sends them to the thief’s computer system.
“Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools. Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites.”
You can find the full list of malware-containing software to avoid here.