A freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” is using Telegram bots as its command-and-control (C2) hub. Masad harvests information from Windows and Android users and also comes with a full cadre of other malicious capabilities, including the ability to steal cryptocurrency from victims’ wallets.
According to an analysis from Juniper Threat Labs on Friday, one of the most interesting things about Masad (which the researchers think is descended from the known “Qulab Stealer” malware) is that it sends the data it collects from victims to a Telegram bot that acts as its C2 server — that’s a twist in the world of C2 mechanisms, according to researchers.
To connect to the C2 bot, Masad first sends a getMe message using a hardcoded bot token to confirm that the bot is still active, according to the analysis. Then, after harvesting a range of data and compiling it into a ZIP folder (using the 7zip utility, which is bundled into the malware binary), it sends the folder along using the sendDocument API.