A cryptocurrency-stealing malware known as Hackboss malware is being spread via Telegram to cybercriminals in the form of free malicious applications.
The researchers who investigated about this malicious software noted that its operators likely stole more than $500,000 from aspiring hackers who fell for the scam.
HackBoss is a simple scheme, but it works because it tempts victims with the promise of offering hacking tools, which are often used to brute-force passwords for banking, dating, and social media accounts.
The security researchers at Avast who examined Hackboss said that the malware is packaged in a .ZIP file with an executable that launched a basic user interface.
The sole purpose of the application is to install and run cryptocurrency-stealing malware on the victim’s computer.
The attack occurs when you press any of the fake interface’s buttons. The action can also give HackBoss persistence on the victim’s system by setting up a registry key to run the tool when launched or by adding a scheduled task that runs the payload every minute.
And when the application’s UI is closed, the malicious payload continues to run on the victim’s device. If the malicious process is killed, it can be restarted or triggered by a scheduled task the next minute.
The malware actually looks for a cryptocurrency wallet on the clipboard and replaces it with one belonging to the attacker.
When a victim makes a cryptocurrency payment and copies the recipient’s wallet, HackBoss easily replaces it, taking advantage of the fact that few people search the string before pressing the pay button.
Even though the mechanisms are basic, maintaining the cover of a hacking tool requires some effort, as each post includes a fake explanation to make it a credible deal.
According to the Avast researchers, over 100 cryptocurrency wallet addresses linked to the HackBoss operation have earned over $560,000 since November 2018.
Some of the addresses were used in scams that deceived victims into purchasing fake apps, so not all of the funds came from the cryptocurrency-stealing malware.
The Hack Boss channel has about nine posts a month, each with over 1,300 views and over 2,800 subscribers, according to Telemetrio’s Telegram and chat statistics.
While the Telegram channel remains the primary distribution source, the developers of HackBoss still promote their fake hacking tools outside of it.
One option is to advertise fake resources on a blog, which also posts ads on public forums and discussions.
You might also like: New WhatsApp bugs could allow remote phone hacking
Avast has published a long list of indications of compromise on its GitHub page, including hashes and names of the fake applications that disguised HackBoss malware, as well as cryptocurrency wallet addresses.