Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word from our sponsor, Juniper Networks. Join Juniper at NXTWORK 2019 to learn, share, and collaborate with game changers from companies across the networking industry. This year's event features keynotes from Juniper executives, as well as special guest speaker Earvin "Magic" Johnson, along with over forty breakouts and master classes led by distinguished engineers, as well as various opportunities for certification testing and training. Visit juniper.net/nxtwork for more information. That's juniper.net/nxtwork. And we thank Juniper for sponsoring our show.
Dave Bittner: [00:01:09] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Mounir Hahad : [00:01:49] We were looking into the ability of botnets to be communicating over encrypted channels.
Dave Bittner: [00:01:56] That's Mounir Hahad. He's the head of Juniper Threat Labs at Juniper Networks. The research we're discussing today is titled Masad Stealer: Exfiltrating using Telegram.
Mounir Hahad : [00:02:07] What we realized is that as we were running some of the known ones into our sandboxes, we ran into this one that looked a little bit different, because we did not expect communications with the Telegram web server, and we figured, hey, this looks interesting. Let's dig into it a little bit deeper. That led to this whole discovery.
Dave Bittner: [00:02:30] Hmm. Well, just for folks to be clear, what is Telegram? How does it work?
Mounir Hahad : [00:02:35] Telegram is an end-to-end encrypted chat and messaging communication. It has been developed for a number of years and is very widely used. It's estimated that the number of Telegram users today is about 200 million users worldwide. It's one of those applications like WhatsApp that claims to be an encryption end-to-end and therefore is kind of shielding its users from any spying eyes. And it has had a lot of notoriety lately, especially that it has been banned in Russia, presumably because the government was not able to spy in on the people it wanted to. So that kind of brought it to prominence.
Dave Bittner: [00:03:17] Hmm. Well, let's walk through the research together, and let's start off – what does Masad Stealer do?
Mounir Hahad : [00:03:23] So, the Masad Stealer is a Trojan. It comes in via other applications and sometimes fake downloads. You're downloading something that you believe is an application you're looking for, and you end up downloading, either directly or inadvertently bundled with other applications, this Masad Stealer. Once it is installed on your device, Masad is going to try to remain persistent in your device, basically being able to survive reboots, and it is able to snoop around your device and find interesting pieces of information to exfiltrate – things, you know, the simple stuff like the type of device you're on.
Mounir Hahad : [00:04:07] A lot of that is kind of a run-of-the-mill, but then it is capable of looking into files and into your browser data, and it exfiltrates that. So, for example, it is able to look at all your form field data, including usernames and passwords, and it will collect all of those and send them to the controller of the bot. And in addition to that, it is able to exfiltrate files from your desktop or from your Telegram data, as well as from certain applications that are used for simpler FTP file exchange. So, for example, FileZilla is one of them, so it will look for files you have downloaded over FTP.
Mounir Hahad : [00:04:52] Now, on top of that, it has a clipping feature which can look at your clipboard. You know, when you're copying items from one application to the next – you copy a sentence, you want to paste it somewhere else – this Masad Stealer is looking for certain patterns that look like cryptocurrency wallet addresses. And as soon as you've copied one of those, before you paste it into your destination application, Masad will replace it with its own string for its own wallet. And what that does is it allows the Masad Stealer to basically have funds transferred to its own wallet instead of whatever destination you were meaning it to be.
Dave Bittner: [00:05:38] Could it inadvertently flow in the other direction? Could I accidentally take money out of Masad's wallet?
Mounir Hahad : [00:05:44] No, that is not possible, because typically before you can move currency around, you need to be able to log in into your account with your particular wallet and you will not be able to do that with the Masad wallet because you don't have, you know, their password.
Dave Bittner: [00:06:01] I see.
Mounir Hahad : [00:06:01] So that's not possible. It only flows in one direction. The other direction is more likely to cause errors during the exercise.
Dave Bittner: [00:06:08] I see. And it also includes the ability to zip the things that it's going to exfiltrate?
Mounir Hahad : [00:06:16] That is correct. Yes, there is a current limitation of about fifty megabytes of the file that is being extracted. So it is able to compress all the data it is interested in in order to send it to the control bot. And it does that using the 7-Zip utility, which actually comes bundled within its own binary.
Dave Bittner: [00:06:37] Hmm. And then how does it go about sending the information out?
Mounir Hahad : [00:06:41] In order to send that information, it still uses the Telegram application. The Telegram protocol itself is very powerful, and it allows using an API – application programming interface – to do file movements. So it just sends the file to a Telegram user, which is hardcoded within the binary itself, and that way the recipient receives the file. Just like, for instance, if you were a Telegram chat user and you wanted to send a picture to the person you're chatting with – it uses pretty much the same API.
Dave Bittner: [00:07:14] Because it's using this API, if I'm a regular user of Telegram, this wouldn't show up in my interface or anything – this would all be happening behind the scenes.
Mounir Hahad : [00:07:24] That is correct, because you do not actually need to be a Telegram user for all of this to happen. The malware author is using the Telegram infrastructure, but it basically uses HTTPS, just like a web browser would, to go through an intermediate proxy for the actual protocol that Telegram uses. So from all intents and purposes, you do not have to be a Telegram user to be affected by this particular malware. But if you were to be a Telegram user, your exposure is a little bit higher because it gives access to all your Telegram data to the bot operator.
Dave Bittner: [00:08:04] What have you learned is going on with the command-and-control servers?
Mounir Hahad : [00:08:08] Well, what we have learned so far is that there is a number of them. It's not just one or two. We know that there are about three-hundred and thirty-eight unique bot IDs. Now, that can mean one of several things. Either the same threat actor has deployed multiple campaigns or that multiple acquirers of this malware are using it each for their own purposes. And the third option would be that the same threat actor in the same campaign, in order to make it a little bit more difficult to follow the tracks, is starting to use multiple bot IDs for potentially multiple purposes within the same campaign.
Mounir Hahad : [00:08:53] So, what that tells us is that it is fairly used out there in the wild and we know for sure that there is a Telegram group that has been specifically created for customers of this off-the-shelf malware, and that alone has about three hundred and eighteen users or members into the group. So that says either these people have purchased the malware and are using it, or at least are interested in purchasing the malware. Now, usually when this kind of a group is set up, it's in order to provide some sort of a customer support to the acquirers of the malware. But we don't know for sure.
Mounir Hahad : [00:09:34] We've found the malware being bundled with about fifteen popular downloads, usually downloaded applications. So that tells me that the exposure is fairly high. Some of those applications even happened to be typical utilities that come with Windows, but for some reason, sometimes people would want to download them again, and you would end up with the Masad Stealer bundled into that same application.
Mounir Hahad : [00:09:59] So, we're still doing some work. We're not completely done with analyzing the infrastructure that these threat actors are using. And we may be able to have some follow-up in the near future about our findings.
Dave Bittner: [00:10:11] Now, some of the versions of this that you've been tracking have the ability to download additional malware?
Mounir Hahad : [00:10:18] That is correct. It's very typical from a Trojan perspective to have this ability of being modular and being able to download updates or additional malware. The ones we have seen so far only download cryptominers, and it's usually a Monero miner. So effectively, if there is nothing interesting to steal from your laptop, they will use it to mine cryptocurrency.
Dave Bittner: [00:10:43] I see. Now, take us through what you're seeing in terms of this being advertised and sold on the online hacker forums.
Mounir Hahad : [00:10:52] Well, that's the part where we don't have a lot of information, but what we have seen so far is that it is clearly advertised. The project exists. It even has its own dedicated website called Masad Life. And we've seen quite a bit of activity from people interested, not the least being the creation of that, you know, that Telegram group with three hundred-plus people that are interested. So, you know, if you're into the underground forums, you would definitely see the offering. And we can tell that a lot of people are interested in purchasing this piece of malware.
Dave Bittner: [00:11:29] Hmm. So, what are your recommendations in terms of people protecting themselves against it?
Mounir Hahad : [00:11:34] You know, the usual protection for the general public is be extremely aware of where you download your applications from. A lot of people, unfortunately, get infected because their kids, for example, are looking for some game hacks or simple applications to do certain things very quickly. So you have to be aware that most of those applications that are available for free – there's usually a hidden cost behind them. Sometimes that hidden cost is something like Masad Stealer. Sometimes it's cryptocurrency miner. Sometimes it's ransomware. So you have to be extremely careful. You need to make sure that you have a good antivirus installed on every one of your endpoints. That's from a consumer perspective.
Mounir Hahad : [00:12:22] From an enterprise and a business perspective, it should be looked into from the angle of a network solution, because the use of a protocol like Telegram should not be something that's commonly used around businesses. So there are plenty of next-generation firewalls who are capable of identifying communication meant to be Telegram, and you should be able to block that communication entirely. In addition to that, most of the next-generation firewalls, including the one that Juniper Networks has, offer the ability to do advanced threat prevention. And using machine learning, what we have discovered is that most – actually all of these samples that we found would be detected by machine-learning approaches. So, customers need to make sure that they enable the advanced threat prevention in any egress points that they have to the Internet.
Dave Bittner: [00:13:21] What is your estimation of the sophistication of these folks?
Mounir Hahad : [00:13:26] You know, it seems like it's relatively sophisticated from the point of view that they're reaching out using a protocol that not a lot of people have used for command-and-control. But at the same time, it's not extremely sophisticated. Like, for instance, the method that is used for persistence is relatively easy to find and detect and remediate against. So, to me, this is an average sophistication level.
Mounir Hahad : [00:13:53] I think that this story is still unfolding. We have seen those crypto wallets being used quite a bit recently. And we know that, for instance, this operation has been going on for a relatively long time, since we've seen some people victimized as early as June 18th of this year. And it's funny – we know that because somebody actually had some funds transferred from his cryptocurrency wallet to one of these wallets and they believed it was by mistake. So they posted it online and said, hey, this operation happened by mistake. If you don't mind, please return my funds back. That has happened in June, so that operation has been going on for a while.
Mounir Hahad : [00:14:38] And given the interest, my suspicion is that we'll see more campaigns using this malware. And given the variety of samples that we have seen, we know that it's in active development and we're gonna see variations of it that are going to try to do a little bit better in terms of sophistication.
Dave Bittner: [00:14:57] Can you give me some insights as to what happens – for you as a researcher, when you're trying to track something that is off-the-shelf this way, where you could have lots of people buying this and putting it to use for themselves, what are the methods that you use to try to differentiate different groups who might be using the same tool?
Mounir Hahad : [00:15:17] One approach that we take, for example, is trying to follow the trace of the money. Most of these samples do have multiple cryptocurrency wallet IDs embedded in them. They're not all the same. So out of – let me try to remember – I think we've seen somewhere along the lines of fifteen or eighteen different cryptocurrencies. You will find that in one sample, for example, there will be three or four different wallet IDs, and in the next sample, there's going to be four or five. But if you try to overlap the cryptocurrency wallet IDs between the two samples, it is not a full overlap. So you will find that maybe one wallet ID is the same, but the others are different.
Mounir Hahad : [00:16:07] So for us, if we're looking at all the samples that we managed to get our hands on, if we are able to overlap all the cryptocurrency wallet IDs, we can probably draw a map on the number of different threat actors that are involved in using all those samples. That's one of the approaches we use to identify whether it's the same group doing all of this, or whether it's totally different groups.
Dave Bittner: [00:16:37] Our thanks to Mounir Hahad from Juniper Threat Labs for joining us. The research is titled, "Masad Stealer: Exfiltrating using Telegram." We'll have a link in the show notes.
Dave Bittner: [00:16:48] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:16:57] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:17:06] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.