HackBoss Malware Spreads Through Telegram, Stealing Cryptocurrency
Security experts at Avast have discovered a cryptocurrency-stealing tool called HackBoss, which is distributed on Telegram disguised as free malware for beginners. The creators of HackBoss have already stolen over $500,000 from “beginner hackers” who fell for this scheme.
HackBoss is mainly disguised as free hacking tools, most often for brute-forcing passwords for bank accounts, dating sites, and social networks. Each promotional post is accompanied by a detailed description of the fake tool to make the offer appear legitimate.
The HackBoss Telegram channel publishes about nine such posts each month, each receiving more than 1,300 views. The channel’s subscriber count has already surpassed 2,800 people, according to Telemetrio.
The malware is packed in a .ZIP archive containing an executable file that launches a simple user interface. Regardless of the available options, the sole purpose of the malware is to decrypt and run a cryptocurrency-stealing payload on the victim’s system. This occurs when any button on the fake interface is pressed. HackBoss can also establish persistence on the system by making changes to the registry or adding a scheduled task that launches the payload every minute.
“If the malicious process is terminated (for example, using Task Manager), it can restart when the system boots up or when the scheduled task runs the following minute,” the experts note.
The malware’s functionality is straightforward: it monitors the clipboard for cryptocurrency wallet data and replaces it with wallets belonging to the attackers. As a result, if a victim makes a cryptocurrency payment and copies the recipient’s wallet address, HackBoss swaps it in the clipboard—since few users double-check this string before clicking the payment button.
Avast analysts have identified more than 100 cryptocurrency wallet addresses linked to HackBoss, which have received over $560,000 in various cryptocurrencies since November 2018. Not all of these funds were stolen by the malware itself, as some wallets were also involved in other scams where victims purchased fake software.
Researchers report that the authors of HackBoss promote their fake hacking tools outside of Telegram as well, although the messenger remains the main distribution channel. For example, the hackers run a blog (cranhan.blogspot[.]com) where they advertise fake tools and publish promo videos, and they also place ads for the malware on public forums.
A full list of indicators of compromise is available on the company’s GitHub page.