There’s a cryptocurrency-stealing malware named ‘HackBoss’ that has been snatching people’s assets since November 2018, and according to the most conservative estimates, its operators have made about $560,450. Because ‘HackBoss’ is still out there tricking people en masse, Avast researchers have compiled a detailed report on it to help us understand the risks and identify the signs of trouble. This is especially important now that the price of crypto is rising again, so the interest jumps up for both the crooks and the inexperienced crypto investors.
HackBoss is a simple crypto-stealer that is delivered to its victims via a Telegram channel carrying the same name. The channel is supposed to provide software for hackers like bank credential stealers, trojans, key crackers, code generators, cryptocurrency wallet crackers, etc. However, all posts on the channel point to an encrypted file storage platform the fetches the same malware, HackBoss. No matter the name, description, or even the instructions that often accompany these tools, it’s always the HackBoss crypto-stealer.
Upon launch, and as soon as the user clicks on any button on the UI of the app, the malicious functionality of the software is triggered. An executable is decrypted, a startup value is added on the system registry, and a scheduled task set to relaunch the malware every minute is added as well.
The tool does then check the clipboard content until it finds something that looks like a cryptocurrency wallet address. If that happens, it automatically replaces the value with an address controlled by the actors, and so any subsequent transaction will go straight to their pocket.
It’s a simple yet effective and unlikely to spot trick, which has led to monetary losses of over half a million USD. Most of the victims are based in the United States, Nigeria, Russia, Germany, India, and Ghana.
Avast has analyzed more than 100 cryptocurrency wallet addresses linked to the HackBoss actors, which collect Bitcoin, Ethereum, Litecoin, and even Dogecoin. Some of these addresses have already been reported, even for other kinds of scamming operations, so the same actors are likely involved in other malicious campaigns besides the HackBoss one.
While it’s easy to suggest that people who roam in shady Telegram channels dedicated to hacking and cracking will only get what they deserve in the end, we shouldn’t forget about all the possible ways someone could end up there. Malware authors promote their Telegram groups on forums of all kinds. Hence, users who are looking for advice and are unaware of the dangers of anonymous channels could easily download stuff without thinking twice about it.
If you are engaging in crypto investments, make sure to double-check the wallet address you are about to send money to, use MFA to secure all your accounts, and avoid downloading anything from untrustworthy sources. In the case of the HackBoss, a good AV tool would stop it from running on the system in the first place.