According to researchers, attackers use the Telegram handle “Smokes Night” to spread the malicious Echelon info stealer, which steals credentials for cryptocurrency and other user accounts.
Researchers discovered that attackers are using the Echelon info stealer to target the crypto-wallets of Telegram users in an attempt to defraud new or unsuspecting users of a cryptocurrency discussion channel on the messaging platform.
Researchers from SafeGuard Cyber’s Division Seven threat analysis unit discovered a sample of Echelon in a cryptocurrency-focused Telegram channel in October, according to an analysis published on Thursday.
The malware used in the campaign is designed to steal credentials from a variety of messaging and file-sharing platforms, including Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as a variety of cryptocurrency wallets, including AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero.
The campaign was a “spray and hope” operation: According to the report, “based on the malware and the manner in which it was posted, SafeGuard Cyber believes it was not part of a coordinated campaign and was simply targeting new or naive users of the channel.”
Researchers discovered that attackers used the handle “Smokes Night” to distribute Echelon on the channel, but it’s unclear how successful they were. They wrote, “The post did not appear to be a response to any of the surrounding messages in the channel.”
According to them, other users on the channel did not appear to notice anything suspicious or engage with the message. However, this does not imply that the malware did not reach users’ devices, according to the researchers.
“We did not see anyone respond to ‘Smoke Night’ or complain about the file, though this does not prove that channel user were not infected,” they wrote.
The Telegram messaging app has indeed become a hotbed of activity for cybercriminals, who have taken advantage of its popularity and broad attack surface by distributing malware on the platform via bots, malicious accounts, and other means.
Attackers delivered Echelon to the cryptocurrency channel in an .RAR file titled “present).rar” that included three files: “pass – 123.txt,” a benign text document containing a password; “DotNetZip.dll,” a non-malicious class library and toolset for manipulating .ZIP files; and “Present.exe,” the malicious executable for the Echelon credential stealer.
The payload, written in .NET, also included several features that made it difficult to detect or analyze, including two anti-debugging functions that immediately terminate the process if a debugger or other malware analysis tools are detected, and obfuscation using the open-source ConfuserEx tool.
Researchers eventually managed to de-obfuscate the code and peer under the hood of the Echelon sample delivered to users of the Telegram channel. They found that it contains domain detection, which means the sample also will attempt to steal data regarding any domain that the victim has visited, researchers wrote. A full list of platforms the Echelon sample attempted to target are included in the report.
Other features of the malware include computer fingerprinting, as well the ability to take a screenshot of the victim’s machine, researchers wrote. The Echelon sample lifted from the campaign sends credentials and other stolen data and screenshots back to a command-and-control server using a compressed .ZIP file, they said.
Fortunately, Windows Defender detects and deletes the Present.exe malicious executable sample and alerts it as ‘#LowFI:HookwowLow, mitigating any potential damage from Echelon for users with the antivirus software installed, researchers noted.