- Starting from China, the LemonDuck crypto-mining malware has spread to several global locations especially in North America and Asia.
- Microsoft warns that it uses sophisticated tools to attack enterprise solutions and spread across platforms.
Crypto mining malware continues to take a toll on online users! Computing giant Microsoft recently warned Windows users to beware of the infamous cross-platform crypto-mining malware LemonDuck. Besides windows, this malware is also attacking users of the Linux platform.
In its official announcement, Microsoft noted that LemonDuck has been deploying a variety of spread mechanisms for maximizing impact. Its traditional bot and mining activities have been stealing users’ credentials while removing security controls.
Microsoft also added that the LemonDuck malware “spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity”. One of the biggest threats of LemonDuck is that it works cross-platform. Thus, it is very notorious and holds a strong ability to propagate rapidly across platforms. The announcement notes:
LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns.
Thus, LemonDuck acts as a loader on follow-on attacks that involve credential theft. Besides, it can install next-stage implants that serve as a gateway to a number of malicious threats, including ransomware.
Expanding on the global map
In the early years, LemonDuck used to target users in China. However, its operations have expanded to several other countries. Today, it affects a large geographical range including North America and Asia.
This year, LemonDuck has started using diversified commands and sophisticated infrastructure and tools. the Microsoft announcement notes:
LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.
Lemonduck frequently uses the open-source material build from resources used by other botnets. Thus, several components of the threat look similar. But computing giant Microsoft has dug in two distinct operating structures wherein both use LemonDuck malware but are operated by different entities with separate goals.
The “Duck” infrastructure is persistent with running campaigns and performs limited follow-on activities. The infrastructure works in conjunction with edge device compromise and serves as an infection method. It explicitly uses the “LemonDuck” script.
The second infrastructure is the “Cat” infrastructure that has two domains with “cat” in the name. This always exploited the vulnerabilities in Microsoft Exchange Server. Today, cat infrastructure is present in attacks “backdoor installation, credential and data theft, and malware delivery”.This infrastructure often delivers the malware Ramnit.
Researchers Spot New Cryptocurrency Stealing Malware Advertised Under a Subscription Model
A cryptocurrency-related malware program has been advertised on darknet forums as the “leading way to make money in 2021,” raising alarms among the cybersecurity community. Palo Alto Networks published a report on the malicious app Westeal, detailing the author’s ties with other types of malware that steals major streaming services accounts.
Westeal Claims to Be Immune Against Major Antivirus Software
According to the cybersecurity firm, “Westeal” is an evolution of “Wesupply Crypto Stealer,” another malicious crypto software that has been sold since May 2020. Findings suggest that Wesupply’s evolution has been advertised since mid-February 2021.
Moreover, people who acquire the malicious app get access to a web panel to handle all the operations, including a “victim tracker panel.”
A detail that raises concerns from Palo Alto Networks is the fact that Westeal is reportedly immune to major antivirus software.
The malware works with a subscription model, and “Complexcodes,” the anon author of the app, profits by charging 20 euros ($24) monthly, 50 euros ($60) for three months, and 125 euros ($150) yearly.
The Malware Is a ‘Shameless’ Crypto Stealer, Researchers Say
The cybersecurity firm provides more details on the malware:
In order to “steal” cryptocurrency from a victim, Westeal uses regular expressions to look for strings matching the patterns of bitcoin and ethereum wallet identifiers being copied to the clipboard. When it matches these, it replaces the copied wallet ID in the clipboard with one supplied by the malware. The victim then pastes the substituted wallet ID for a transaction, and the funds are sent instead to the substitute wallet.
Still, Palo Alto Networks qualifies Westeal as a “shameless” malware:
Westeal is a shameless piece of commodity malware with a single, illicit function. Its simplicity is matched by a likely simple effectiveness in the theft of cryptocurrency. The low-sophistication actors who purchase and deploy this malware are thieves, no less so than street pickpockets. Their crimes are as real as their victims. The fast and simple monetization chain and anonymity of cryptocurrency theft, together with the low cost and simplicity of operation, will undoubtedly make this type of crimeware attractive and popular to less-skilled thieves.
ElectroRAT Malware Targeting to Empty Your Crypto Wallets
Security researchers at Intezer Labs said they had discovered a remote access trojan (RAT). Cybercriminals fabricated fake crypto apps to trick users into installing a new strain of malware on their systems, with the apparent goal of stealing victims’ funds. The apps target wallets of thousands of Windows, Linux, and macOS users, and were built on top of Electron, an app-building framework.
The campaign was uncovered in December 2020, but researchers suspect the group began spreading their malware as early as January 8, 2020. The cross-platform RAT malware is written from ground-up in Golang. The malware was named ElectroRAT after its discovery.
The Malicious Apps
The researchers noted that ElectroRAT is the latest attacker case using Golang to develop multi-platform malware and evade most antivirus engines. They added that seeing various information stealers trying to collect private keys to access victims’ wallets has become popular. However, it is unusual to see tools written from scratch and targeting multiple operating systems for these purposes.
Intezer Labs believe the hackers depended on three cryptocurrency-related apps for their gameplan.
The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively. The cybercriminal created and injected their RAT into custom Electron applications to behave like crypto trade management tools.
The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app. Immediately after launching on a victim’s computer, the apps would show a foreground user interface designed to distract the victims’ from the malicious ElectroRAT background process.
According to an Intezer report, the malicious apps are hosted on websites that were explicitly built for this campaign. The threat actors had also gone an extra mile to promote them on social media apps (Twitter and Telegram) and dedicated online forums (bitcointalk and SteemCoinPan) to lure unsuspecting users into acquiring the tainted apps.
The Victims of The ElectroRAT Malware
Thousands of victims have uploaded the fake apps between January and December 2020, with one of the Pastebin pages used by the malware to retrieve command-and-control (C2) server addresses having been accessed almost 6,500 times.
Intezer observed that the malicious apps and the ElectroRAT binaries are probably low detectable or completely undetectable in VirusTotal at the time of this writing.
After getting infected and having their wallets drained by the malware, some victims have tried to warn others of the dangerous apps.
Users who have fallen victim to this campaign need to kill the process, delete all malware files, transfer their funds to a new wallet, and make new passwords.
The World Comes Together on Cardano Summit 2021 from Sydney to Vancouver
Brad Garlignhouse: SEC Using Their Meetings with Crypto Companies as Lead Generation for Enforcement Actions
Elon Musk Will Always Have Support of DOGE Community: Major Dogecoin Account
Bitcoin1 week ago
Protesters in El Salvador Set Fire to Bitcoin ATM in Defiance of President Bukele
Dogecoin3 months ago
Elon Musk Shows “Deepest Desire” of Dogecoin Holders
Avalanche (AVAX)3 days ago
Avalanche Price Prediction – Will AVAX Price Hit $100 in 2021?
Bitcoin3 days ago
Bitcoin hodlers are about to spark a run to new BTC price highs, data suggests
Bitcoin3 days ago
Too ‘grande’ to fail — Bitcoin price stumbles at $44K as China plans for Evergrande’s implosion
Cardano13 hours ago
BREAKING: Cardano [ADA] closes deal with Fortune 250 company Dish Network
Dogecoin3 days ago
Elon Musk Says It’s “Super Important” for Dogecoin Fees to Drop
Bitcoin11 hours ago
Top Analyst Maps Bitcoin and Cardano Price Trajectories, Warns Best Entry Point for ADA May Be Gone