According to researchers at Avast Security, a new campaign has been targeting people who are looking for hacking tools on Telegram channels. The HackBoss cryptocurrency malware has been using fake advertisements to trick users into downloading a simple user interface (UI), which they believe will give them hacking tools. Once the .ZIP file is downloaded, regardless of the options available, the UI’s main purpose is to decrypt and execute the cryptocurrency-stealing malware on the victim’s system. The malware is designed to check the clipboard of the victim’s system for a wallet address, and if one is found it quickly replaces it with one owned by the attackers. When the victim then initiates a cryptocurrency payment, they will be paying the owners of the HackBoss wallet address. Even after the UI is closed, the HackBoss malware continues to run.
Analyst Notes
Though this malware is not complex, it still requires upkeep from the attackers. They have started branching out from Telegram using other means to deliver the UI that downloads the malware to victims. Avast researchers report they have discovered over 100 wallets owned by the attackers netting them more than $560,000 since November 2018.
Avast has provided a lengthy list of Indicators of Compromise (IoC’s) which can be found here:
More information can be read here: