HackBoss: A cryptocurrency-stealing malware distributed through Telegram

The world of cryptocurrencies is playful and interesting. With every rise of the Bitcoin value, more and more people are drawn into the game of selling, mining, and exchanging digital assets. However, the playground is tempting for both honest people and malicious ones. Malware focusing on stealing cryptocurrency has become routine.

One specific malware family that emphasizes how easy it can be to lose your cryptocurrency coins is called HackBoss. It’s a simple yet very effective malware that has possibly stolen over $560,000 USD from the victims so far. And it’s mainly being spread via Telegram.

Malware designed to steal cryptocurrencies fall into one of three main categories: 

• Password stealers: malware focusing on stealing cryptocurrency wallets or files with passwords.
• Coinminers: malware that uses the victim’s machine’s computational power for mining cryptocurrencies.
• Keyloggers: malware that logs keystrokes to record passwords or seed phrases.

These three categories of cryptocurrency-related malware combined were the third most common type of malware seen in the wild over the past year.

Password stealers have included a focus on cryptocurrencies for a long time now. It’s very easy to add a functionality for stealing cryptocurrency wallets to a password stealer, which means it’s uncommon these days to find a password stealer that doesn’t look for cryptocurrency wallets. Because of this, people should take extra care of their passwords, wallets, and digital assets.

The graph below shows the progress of the total number of hits upon our user base per month from March 2020 through March 2021 for cryptocurrency-stealing malware.

And the split between the three malware categories during the same timeframe is shown below.

HackBoss

HackBoss is a simple cryptocurrency-stealing malware, but its monetary gain is significant. The most interesting aspect of this malware is the way it is delivered to the victims. HackBoss’ authors own a Telegram channel which they use as the main source for spreading the malware. A Telegram channel is a tool for broadcasting public messages to a large audience. Anyone can subscribe to a specific channel and get a notification on their phone with each new post. Also, only admins of the channel have the right to post and each post shows the name of the channel as a publisher, not a name of a person.
 

Authors of the HackBoss malware own a channel called Hack Boss (hence the name of the malware family itself) which is promoted as a channel to provide “The best software for hackers (hack bank / dating / bitcoin)”. The software that is supposed to be published on this channel varies from bank and social site crackers to various cryptocurrency wallet and private key crackers or gift card code generators. However, although each promoted application is promised to be some hacking or cracking application, it never is. The truth is quite different — each published post contains only a cryptocurrency-stealing malware concealed as a hacking or cracking application. What is more, no application posted on this channel delivers promised behavior: all of them are fake. 

The Hack Boss channel was created on November 26, 2018, and has over 2,500 subscribers so far. Authors publish an average of 7 posts per month and each post is viewed approximately 1,000 times.

Posts on the Hack Boss channel promoting a fake cracking or hacking application usually contain a link to encrypted or anonymous file storage from which the application can be downloaded. The post also contains a bogus description of the application’s supposed functionality and screenshots of the application’s UI. It sometimes also contains a link to a YouTube channel at https://www.youtube.com/channel/UC1IEdha7riKwVCfPk (the channel has been taken down at the time of publishing) called Bank God with a promo video.

After downloading the application as a .zip file, you can run the .exe file inside and a simple UI will be displayed.

The application itself does not have any of the promised behavior. It is basically just the prompted UI which can open a file directory or popup a window, but its main and malicious functionality is triggered by a victim clicking on any button in the UI. After that, a malicious payload is decrypted and executed in the AppData\Local or AppData\Roaming directory. It can also be set to run at startup by setting up the value in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key or a task can be scheduled to run the malicious payload repeatedly every minute.

The functionality of the malicious payload is fairly simple. It regularly checks the clipboard content for a format of a cryptocurrency wallet and, if a wallet address is present there, it replaces it with one of its own wallets. The malicious payload keeps running on the victim’s computer even after the application’s UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute. 

Though the malware itself is not sophisticated, it can be very effective. Many people own some cryptocurrency coins nowadays and send coins via computer applications. Running a fake application which spawns a malicious process that continuously checks and exchanges the clipboard content can lead to a significant monetary loss. Eventually the victim might start a valid cryptocurrency application on his/her computer and will want to send real cryptocurrency coins to someone else. Copying the receiving cryptocurrency wallet address will alert the already running malicious process, which will exchange the wallet address for one of its own. A slightly less observant user may then hit the pay button without noticing that the copied wallet address has changed in the meantime and lose his/her coins.

A malicious actor just needs to be a little busy bee while promoting simple fake applications and the monetary gain can be considerable. And that is what the HackBoss malware creators are consistently doing. The Hack Boss Telegram channel is not the only place where they promote their fake application. They also keep a blog at cranhan.blogspot[.]com containing only posts promoting their fake applications, have YouTube channels with promo videos, and post advertisements on public forums and discussions. 

Statistics about the spread of this malware upon our user base since November 2018 can be seen below.

Monetary gain of HackBoss

We have collected a list of more than 100 cryptocurrency wallet addresses belonging to HackBoss authors and to which the HackBoss malware exchanges the wallet address present in the clipboard. The full list can be found in appendix_files. The wallet addresses format that HackBoss checks for are from Bitcoin, Ethereum, Dogecoin, Litecoin, and Monero cryptocurrencies and the majority of those wallets are Bitcoin wallets. We have checked the received funds on those wallets since November 2018 and got the following amounts.

Which gives the total received amount of ~ $560,451.0831 USD at the time of publishing. However, some of the addresses were reported many times not only as cryptocurrency-stealing malware but also as a scam, cheating victims into buying fake software. This makes the total received amount less accurate in the scope of the HackBoss malware. However, we are still observing received funds of the same authors that deliver HackBoss.

Fake Bitcoin Sender – a HackBoss example

We have chosen one sample of the HackBoss malware from the Hack Boss Telegram channel to give a technical overview of the malicious core functionality. The chosen promoted fake application is called a Fake Bitcoin Sender.

Fake Bitcoin Sender

Apart from receiving and spending real cryptocurrency coins, there is also a possibility for playing with fake coins. There are a lot of applications for generating fake coins and sending them. Transactions created like that are never confirmed and disappear in 1-3 days. These fake sender applications are quite popular since they allow users to play with cryptocurrencies without the need to pay, prank friends, or to use it for testing purposes. However, such fun can bring unexpected and stealthy danger.

The Fake Bitcoin Sender was promoted on the Hack Boss Telegram channel as well as on their blog in December 2020. It has also been advertised on multiple websites and public forums in the comment and discussion sections, mostly on the 18th and the 19th of December, 2020.

The comments have been posted by user names such as bittopInisp, bittopencum, bittoplaway, bittopPIP , bittopkek and bittopmeert. 

The post points to an encrypted cloud storage mega.nz from which the Fake Bitcoin Sender can be downloaded. After visiting the url https[:]//mega[.]nz/file/Mo5EnYxD#pQoaU0w2JqNVdqICrGuqaDuivlAbRfzjEt-hsnbT_jk a  .zip package BitcoApp.zip containing the malicious application can be downloaded.

Another means for getting the Fake Bitcoin Sender application is by visiting the www.progs[.]su (registered on the 10th of October, 2020). This page led to the following download page:

Scrolling down, we got to a text promising to get an application for sending fake Bitcoins:

After clicking the download button, we were redirected to the same mega.mz cloud storage as above.

Not so promising reality

After unpacking the downloaded BitcoApp.zip we obtained an executable BitcoApp.exe. Running it displayed the following UI:

If we fill in the information and hit Send, the application pops up a Result message after a few seconds.

Unfortunately, that is about it for the fun part. No fake transactions are created, though it has a hidden functionality of a simple yet very real malware.

Malicious part

The process BitcoApp.exe is responsible for displaying the UI, popping up the Result message and also for additional malicious behavior. The malicious behavior consists of decrypting three payloads – splwow.exe, DefenderUpdate.exe and Net.dll and saving them in the AppData\Roaming directory.

Splwow.exe

This process contains the malicious core. BitcoApp.exe creates a folder called System in the AppData\Roaming directory and decrypts a splwow.exe payload there (list of the most common file names of the decrypted malicious payloads can be found in the file_names.txt). Then it schedules it to run every minute by executing the command: 

schtasks.exe /create /sc MINUTE /mo 1 /tn "splwow" /tr “C:\Users\<user_name>\AppData\Roaming\System\splwow.exe" /f

The created splwow.exe process can be then seen in the list of all running processes:

The main functionality of splwow.exe is a continuous exchange of the content present in the clipboard.

The code runs in multiple threads, each one checking for a different cryptocurrency wallet address format present in the clipboard. Once found, it is then exchanged for one of hardcoded 3DES encrypted cryptocurrency wallets through the Clipborad.SetText() function.

The core code can be seen below:

DefenderUpdate.exe and Net.dll

BitcoApp.exe also creates a directory named Defender in the AppData\Roaming folder and decrypts payloads DefenderUpdate.exe and Net.dll there. 

To achieve persistence it sets the DefenderUpdate.exe to run at startup by setting up the value in the below registry key.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Defender

DefenderUpdate.exe extracts and decrypts the same payload splwow.exe as did BitcoApp.exe in the System folder and schedules the same task for the splwow.exe to run every minute. Net.dll is a dll with extracting and decrypting functionality that DefenderUpdate.exe uses. 

Conclusion

HackBoss is a simple cryptocurrency-stealing malware that has possibly managed to steal over $560,000 USD from victims since November 2018. Its authors have chosen a strategy of misusing public social sites such as Telegram, YouTube, and public forums for promotion of their malware disguised as various hacking or cracking applications. The main source of HackBoss’ spread is a Telegram channel called Hack Boss in which the authors publish posts promoting hacking or cracking applications that victims can download. Unfortunately, none of these applications deliver promised behavior and only infect the victim’s computer with a cryptocurrency-stealing malware. HackBoss running on a victim’s computer keeps checking for the content in the clipboard and if a wallet address format is present there it exchanges it for one of its own wallets. Such behaviour can be easily overlooked by a less observant victim and may lead to a significant monetary loss.

It is important to be attentive when dealing with cryptocurrency. Always double check the wallet address you are sending your assets to, use two-factor-authentication for accessing your digital wallets and, of course, install Avast, as it will protect you not only from malware such as HackBoss.

Indication of Compromise (IoC)

The full list of IoCs is available at https://github.com/avast/ioc/tree/master/HackBoss

HackBoss

Fake Bitcoin Sender

• List of the most common url links containing malicious payloads: network.txt
• List of the most common file names of the malicious decrypted payloads: file_names.txt
• BTC wallet addresses: Bitcoin_addresses.txt
• Ethereum wallet addresses: Ethereum_addresses.txt
• Litecoin wallet addresses: Litecoin_addresses.txt
• Dogecoin wallet addresses: Dogecoin_addresses.txt
• Monero wallet addresses: Monero_addresses.txt