Cybercriminals use Telegram to spread the malicious Echelon infostiller, which steals the credentials of crypto wallets and other user accounts.

SafeGuard Cyber ​​Division Seven Researchers discovered a sample of Echelon posted on the Telegram channel dedicated to cryptocurrency. The malware is designed to steal credentials from multiple messaging and file platforms including Discord, Microsoft Edge, FileZilla, OpenVPN, Microsoft Outlook and Telegram, as well as a number of cryptocurrency wallets including AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero.

“Based on the malware and the way it was placed, SafeGuard Cyber ​​believes it was not part of a coordinated campaign, but simply targeted new or naive channel users,” the experts explained. The attackers used the Smokes Night token to distribute Echelon on the channel, but it is not known how successful this was.

According to experts, users of the channel did not seem to have noticed anything suspicious and were not interested in this message. However, this does not mean that the malware has not reached users’ devices.

The attackers uploaded Echelon to the cryptocurrency channel in a .RAR file named “present) .rar”. The archive contained three files – a secure text document with a password “pass – 123.txt”, a class library and a set of tools “DotNetZip.dll” for working with .ZIP files, and a malicious executable file “Present.exe”.

The payload, written in the .NET programming language, also included several features that made it difficult to detect or analyze. Debug protection functions terminated the process immediately if a debugger or other malware analysis tools were detected. There was also an open source tool for obfuscating ConfuserEx.

Other functions of the malware include tracking digital fingerprints, as well as the ability to take a screenshot of the victim’s computer system. Echelon sends stolen data and screenshots back to the C&C server.

Fortunately, Windows Defender detects and removes a sample of the malicious executable Present.exe and alerts it as “#LowFI: HookwowLow”, reducing any potential damage from Echelon to users with antivirus software installed.