The cryptocurrency community is currently under threat! A new malware is reportedly making rounds on the internet, infecting computers and stealing cryptocurrency from compromised machines.
The yet to be named malicious software was detected by Cyren, the internet security company. According to the company’s latest blog, published during the last week of January 2017, the malware disguises itself as an email communication from reputed banking institutions. These emails appear like fund transfer notifications, and they are found to originate from bots in the United States and Singapore. The attachment contained in these emails are embedded with a versatile keylogger malware.
The next time somebody receives an email from reputed banking institutions like Emirates NBD or DBS, they are better off not knowing what the attachment contains unless of course, they are sure about its authenticity. If the user ends up clicking on the malware-containing executable email attachment, the malware executes itself, creating a “filename.vbs” file in the Windows startup directory. Once the file is created, the attachment deletes itself.
Whenever the computer restarts, the saved “.vbs” file runs a script, executing the malware. The malware scours the computer’s registry for passwords and other sensitive information. It goes through the installed browsers and email clients, gathering stored information, usernames, passwords, browsing history, cache, cookies, etc. At the same time, it also looks for well-known cryptocurrency wallets on the computer.
Cyren’s lists the vulnerable wallets on its blog,
“Among the wallets it tries to find: Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin, and Zetacoin.”
The infected machines stay vulnerable for a long time as the malware creates hooks for mouse and keyboard, logging every keystroke and mouse movement. Even if the software fails to find any sensitive data in the cache, it can easily capture usernames, passwords, etc., as and when it is typed and send it to the command and control server. This leaves the individual’s accounts vulnerable to hacking.
Few media reports indicate that this particular malware was reported earlier in 2015 as well. At that time, it was distributed along with pirated video games. The extensive list of targeted cryptocurrencies and the convincing appearance of the email communication makes it much dangerous, capable of targeting a wider group of audience.
Ref: Cyren Blog | Image: Shutterstock