Lookalike Telegram and WhatsApp Websites Distributing Cryptocurrency Stealing Malware

Mar 17, 2023Ravie LakshmananCryptocurrency / Mobile Security

Copycat websites for instant messaging apps like Telegram and
WhatApp are being used to distribute trojanized versions and infect
Android and Windows users with cryptocurrency clipper
malware^[1].

“All of them are after victims’ cryptocurrency funds, with
several targeting cryptocurrency wallets,” ESET researchers Lukáš
Štefanko and Peter Strýček said^[2]
in a new analysis.

While the first
instance of clipper malware^[3]
on the Google Play Store dates back to 2019, the development marks
the first time Android-based clipper malware has been built into
instant messaging apps.

“Moreover, some of these apps use optical character recognition
(OCR) to recognize text from screenshots stored on the compromised
devices, which is another first for Android malware.”

The attack chain begins with unsuspecting users clicking on
fraudulent ads on Google search results that lead to hundreds of
sketchy YouTube channels, which then direct them to lookalike
Telegram and WhatsApp websites.

What’s novel about the latest batch of clipper malware is that
it’s capable of intercepting a victim’s chats and replacing any
sent and received cryptocurrency wallet addresses with addresses
controlled by the threat actors.

Another cluster of clipper malware makes use of OCR to find and
steal seed phrases^[4] by leveraging a
legitimate machine learning plugin called ML Kit
on Android^[5], thereby making it
possible to empty the wallets.

A third cluster is designed to keep tabs on Telegram
conversations for certain Chinese keywords, both hard-coded and
received from a server, related to cryptocurrencies, and if so,
exfiltrate the complete message, along with the username, group or
channel name, to a remote server.

Lastly, a fourth set of Android clippers come with capabilities
to switch the wallet address as well as harvest device information
and Telegram data such as messages and contacts.

The rogue Android APK package names are listed below –

• org.telegram.messenger
• org.telegram.messenger.web2
• org.tgplus.messenger
• io.busniess.va.whatsapp
• com.whatsapp

ESET said it also found two Windows clusters, one which is
engineered to swap wallet addresses and a second group that
distributes remote access trojans (RATs) in place of clippers to
gain control of infected hosts and perpetrate crypto theft.

All the analyzed RAT samples are based on the publicly available
Gh0st
RAT^[7], barring one, which
employs more anti-analysis runtime checks during its execution and
uses the HP-socket library^[8] to communicate with its
server.

It’s also worth pointing out that these clusters, despite
following a similar modus operandi, represent disparate sets of
activity likely developed by different threat actors.

The campaign, like a similar
malicious cyber operation^[9]
that came to light last year, is geared towards Chinese-speaking
users, primarily motivated by the fact that both Telegram and
WhatsApp are blocked in the country.

“People who wish to use these services have to resort to
indirect means of obtaining them,” the researchers said.
“Unsurprisingly, this constitutes a ripe opportunity for
cybercriminals to abuse the situation.”