Avast experts have discovered a tool for stealing cryptocurrency HackBoss, which is distributed on Telegram under the guise of free malware for beginners. The creators of HackBoss have already stolen more than $ 500,000 from "novice hackers" who fell for this trick.
Basically, HackBoss disguises itself as free hacking tools: most often, it is the selection of passwords from bank accounts, dating sites and social networks. At the same time, each ad post is accompanied by a detailed description of the fake to make the offer look believable.
The Telegram channel HackBoss publishes about nine such messages every month, each with more than 1,300 views, and the number of channel subscribers already exceeds 2,800 people (according to Telemetrio).
The malware is packaged in a .ZIP archive with an executable file inside that launches a simple user interface. Regardless of the available options, the only purpose of the malware is to decrypt and launch malware in the victim's system to steal cryptocurrency. This happens when any button of the fake interface is pressed. It can also ensure the stable presence of HackBoss in the system: for this, changes are made to the registry or a scheduled task is added that runs a payload every minute.
Avast analysts managed to find over 100 cryptocurrency wallet addresses linked by HackBoss, to which more than $ 560,000 in various cryptocurrencies have been transferred since November 2018. It is reported that not all funds were mined by malware to steal cryptocurrency, since some wallets were linked to another scam in which victims bought various fake software.
The researchers write that the authors of HackBoss are promoting their fake hacking tools outside of Telegram, although the messenger remains the main distribution channel. For example, hackers have a blog (cranhan.blogspot [.] Com) where fake tools are advertised and promo videos are published, and malware is advertised on public forums.
A complete list of indicators of compromise is available on the GitHub page company's .
Basically, HackBoss disguises itself as free hacking tools: most often, it is the selection of passwords from bank accounts, dating sites and social networks. At the same time, each ad post is accompanied by a detailed description of the fake to make the offer look believable.
The Telegram channel HackBoss publishes about nine such messages every month, each with more than 1,300 views, and the number of channel subscribers already exceeds 2,800 people (according to Telemetrio).
The malware is packaged in a .ZIP archive with an executable file inside that launches a simple user interface. Regardless of the available options, the only purpose of the malware is to decrypt and launch malware in the victim's system to steal cryptocurrency. This happens when any button of the fake interface is pressed. It can also ensure the stable presence of HackBoss in the system: for this, changes are made to the registry or a scheduled task is added that runs a payload every minute.
The functionality of the malware is simple: it checks the clipboard and looks for data from cryptocurrency wallets there, then replacing them with wallets belonging to the cybercriminals. Thus, if the victim makes a payment in cryptocurrency and copies the recipient's wallet, HackBoss replaces it in the buffer, since rare users check this line before clicking the payment button.
Avast analysts managed to find over 100 cryptocurrency wallet addresses linked by HackBoss, to which more than $ 560,000 in various cryptocurrencies have been transferred since November 2018. It is reported that not all funds were mined by malware to steal cryptocurrency, since some wallets were linked to another scam in which victims bought various fake software.
The researchers write that the authors of HackBoss are promoting their fake hacking tools outside of Telegram, although the messenger remains the main distribution channel. For example, hackers have a blog (cranhan.blogspot [.] Com) where fake tools are advertised and promo videos are published, and malware is advertised on public forums.
A complete list of indicators of compromise is available on the GitHub page company's .
