Researchers have discovered a new variant of Echelon credential stealer malware that attempts to steal crypto wallets belonging to users of several file-sharing and messaging platforms.
What has been discovered?
Researchers from SafeGuard Cyber have identified a sample of the Echelon malware posted on a popular Telegram channel.
- The attackers were spotted spreading the malware using the Telegram handle Smokes Night.
- Researchers believe that the campaign was a spray-and-pray effort and not part of any coordinated campaign.
- Attackers attempted to lure novice and unsuspecting users by posting in a Telegram channel that focused on discussions about cryptocurrency. The ultimate goal was to infect users with the Echelon infostealer.
Echelon infostealer
- Echelon aims to steal login credentials from popular file-sharing platforms and messaging applications including FileZilla, Discord, Outlook, Edge, OpenVPN, and Telegram.
- It also targets the credentials for several cryptocurrency wallets, including Exodus, BitcoinCore, ByteCoin, Jaxx, AtomicWallet, and Monero.
Additional technical details
Echelon is written in .NET that boasts of several evasion features that hinder the detection and analysis of this malware.
- The Echelon payload is delivered in a RAR file "present).rar," which comprises three files: "pass – 123.txt" (a genuine text file containing a password), "DotNetZip.dll" (a class library file containing non-malicious tools set for manipulating zip files), and "Present.exe" (the malicious executable payload that steals credentials).
- The Echelon malware includes two anti-debugging functions, that would terminate the malicious process as soon as it detects and debugger or malware analysis tools.
- Moreover, the malware uses the open-source tool ConfuserEx to further obfuscate its code.
Ending notes
By leveraging trustworthy social media channels such as Telegram, Echelon infostealer lays an effective trap for unsuspecting users. Moreover, it targets a variety of popular cryptocurrency wallets, making it a serious threat to all cryptocurrency users.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7faa_shutterstock_1476236549.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cc80_shutterstock_441233323.jpg)
