Connect with us

Crypto Malware

Researchers Spot New Cryptocurrency Stealing Malware Advertised Under a Subscription Model

Published

on

A cryptocurrency-related malware program has been advertised on darknet forums as the “leading way to make money in 2021,” raising alarms among the cybersecurity community. Palo Alto Networks published a report on the malicious app Westeal, detailing the author’s ties with other types of malware that steals major streaming services accounts.

Westeal Claims to Be Immune Against Major Antivirus Software

According to the cybersecurity firm, “Westeal” is an evolution of “Wesupply Crypto Stealer,” another malicious crypto software that has been sold since May 2020. Findings suggest that Wesupply’s evolution has been advertised since mid-February 2021.

The study points out that Westeal was designed to basically steal bitcoin (BTC) and ethereum (ETH) coming in and out of the victim’s wallet through their clipboard.

Advertisement

Moreover, people who acquire the malicious app get access to a web panel to handle all the operations, including a “victim tracker panel.”

A detail that raises concerns from Palo Alto Networks is the fact that Westeal is reportedly immune to major antivirus software.

The malware works with a subscription model, and “Complexcodes,” the anon author of the app, profits by charging 20 euros ($24) monthly, 50 euros ($60) for three months, and 125 euros ($150) yearly.

Advertisement

The Malware Is a ‘Shameless’ Crypto Stealer, Researchers Say

The cybersecurity firm provides more details on the malware:

In order to “steal” cryptocurrency from a victim, Westeal uses regular expressions to look for strings matching the patterns of bitcoin and ethereum wallet identifiers being copied to the clipboard. When it matches these, it replaces the copied wallet ID in the clipboard with one supplied by the malware. The victim then pastes the substituted wallet ID for a transaction, and the funds are sent instead to the substitute wallet.

Still, Palo Alto Networks qualifies Westeal as a “shameless” malware:

Westeal is a shameless piece of commodity malware with a single, illicit function. Its simplicity is matched by a likely simple effectiveness in the theft of cryptocurrency. The low-sophistication actors who purchase and deploy this malware are thieves, no less so than street pickpockets. Their crimes are as real as their victims. The fast and simple monetization chain and anonymity of cryptocurrency theft, together with the low cost and simplicity of operation, will undoubtedly make this type of crimeware attractive and popular to less-skilled thieves.

News Source

Advertisement

Crypto Malware

Microsoft warns Windows users about fresh attacks from coin Miner malware LemonDuck

Published

on

  • Starting from China, the LemonDuck crypto-mining malware has spread to several global locations especially in North America and Asia.
  • Microsoft warns that it uses sophisticated tools to attack enterprise solutions and spread across platforms.

Crypto mining malware continues to take a toll on online users! Computing giant Microsoft recently warned Windows users to beware of the infamous cross-platform crypto-mining malware LemonDuck. Besides windows, this malware is also attacking users of the Linux platform.

In its official announcement, Microsoft noted that LemonDuck has been deploying a variety of spread mechanisms for maximizing impact. Its traditional bot and mining activities have been stealing users’ credentials while removing security controls.

Microsoft also added that the LemonDuck malware “spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity”. One of the biggest threats of LemonDuck is that it works cross-platform. Thus, it is very notorious and holds a strong ability to propagate rapidly across platforms. The announcement notes:

LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns.

Thus, LemonDuck acts as a loader on follow-on attacks that involve credential theft. Besides, it can install next-stage implants that serve as a gateway to a number of malicious threats, including ransomware.

Advertisement

Expanding on the global map

In the early years, LemonDuck used to target users in China. However, its operations have expanded to several other countries. Today, it affects a large geographical range including North America and Asia.

This year, LemonDuck has started using diversified commands and sophisticated infrastructure and tools. the Microsoft announcement notes:

LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.

Lemonduck frequently uses the open-source material build from resources used by other botnets. Thus, several components of the threat look similar. But computing giant Microsoft has dug in two distinct operating structures wherein both use LemonDuck malware but are operated by different entities with separate goals.

Advertisement

The “Duck” infrastructure is persistent with running campaigns and performs limited follow-on activities. The infrastructure works in conjunction with edge device compromise and serves as an infection method. It explicitly uses the “LemonDuck” script.

The second infrastructure is the “Cat” infrastructure that has two domains with “cat” in the name. This always exploited the vulnerabilities in Microsoft Exchange Server. Today, cat infrastructure is present in attacks “backdoor installation, credential and data theft, and malware delivery”.This infrastructure often delivers the malware Ramnit.

News Source

Advertisement
Continue Reading

Crypto Malware

ElectroRAT Malware Targeting to Empty Your Crypto Wallets

Published

on

Security researchers at Intezer Labs said they had discovered a remote access trojan (RAT). Cybercriminals fabricated fake crypto apps to trick users into installing a new strain of malware on their systems, with the apparent goal of stealing victims’ funds. The apps target wallets of thousands of Windows, Linux, and macOS users, and were built on top of Electron, an app-building framework.

The campaign was uncovered in December 2020, but researchers suspect the group began spreading their malware as early as January 8, 2020.  The cross-platform RAT malware is written from ground-up in Golang. The malware was named ElectroRAT after its discovery.

The Malicious Apps

The researchers noted that ElectroRAT is the latest attacker case using Golang to develop multi-platform malware and evade most antivirus engines. They added that seeing various information stealers trying to collect private keys to access victims’ wallets has become popular. However, it is unusual to see tools written from scratch and targeting multiple operating systems for these purposes.

Advertisement

Intezer Labs believe the hackers depended on three cryptocurrency-related apps for their gameplan.

The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively. The cybercriminal created and injected their RAT into custom Electron applications to behave like crypto trade management tools.

The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app. Immediately after launching on a victim’s computer, the apps would show a foreground user interface designed to distract the victims’ from the malicious ElectroRAT background process.

Advertisement

​According to an Intezer report, the malicious apps are hosted on websites that were explicitly built for this campaign. The threat actors had also gone an extra mile to promote them on social media apps (Twitter and Telegram) and dedicated online forums (bitcointalk​ and ​SteemCoinPan) to lure unsuspecting users into acquiring the tainted apps.

The Victims of The ElectroRAT Malware

Thousands of victims have uploaded the fake apps between January and December 2020, with one of the Pastebin pages used by the malware to retrieve command-and-control (C2) server addresses having been accessed almost 6,500 times.

Intezer observed that the malicious apps and the ElectroRAT binaries are probably low detectable or completely undetectable in VirusTotal at the time of this writing.

Advertisement

After getting infected and having their wallets drained by the malware, some victims have tried to warn others of the dangerous apps.

Users who have fallen victim to this campaign need to kill the process, delete all malware files, transfer their funds to a new wallet, and make new passwords.

Advertisement
Continue Reading

Trending