HackBoss Malware

HackBoss Malware Description

A new cryptocurrency-collecting malware was detected by cybersecurity researchers. The threat was given the name HackBoss, after the Telegram channel that was used to propagate it. Although HackBoss is a relatively simple malware without any sophisticated functionalities, it has managed to achieve an impressive success rate collecting over $500,000 in cryptocurrencies for its creators. The main factor for the significant monetary gain is the hackers' decision to shift the target of the attack from normal computer users to wannabe cybercriminals instead. 

A Crypto-Stealer Disguised as Fake Hacking Tools

The Hack Boss telegram channel promotes itself as a place to get powerful hacking software. The advertised tools include programs that are supposedly capable of brute-forcing bank and dating application credentials, cryptocurrency and private key crackers, or generator applications for gift card codes. Each post about a new hacking or cracking application comes with a description of its functionality and screenshots of the UI. The aspiring hackers who follow the Telegram channel download a ZIP archive file containing a .exe file. Upon execution, a UI suitable for the currently promoted application will be displayed. All of this, however, is just a setup designed to hide the HackBoss Malware and misdirect the would-be hackers. 

HackBoss Analysis

The HackBoss malware is straightforward in its design and capabilities extremely. It begins its execution whenever a button from the decoy UI is clicked. Instead of the expected functionality of the supposed cracking application, a corrupted payload is decrypted and executed in either the AppData\Local or AppData\Roaming directory of the machine. HackBoss will then begin to scan the contents of the clipboard for any data with the format of a crypto-wallet address regularly. If a suitable target is detected, the malware will substitute the copied address with one of its own wallets.  

HackBoss is capable of establishing a persistence mechanism to ensure its presence on the computer. Two methods have been observed. The threat can be set to run at every system boot through an injected Registry key or create a scheduled task that will run the threatening payload every minute. 

Despite its rather simple structure, HackBoss has managed to rake in over half a million in collected cryptocurrencies for its creators. Researchers managed to attribute over 100 wallet addresses to the HackBoss group. Not surprisingly, the majority are for Bitcoin but Ethereum, Dogecoin, Litecoin, and Monero also are included.