Cryptocurrency stealing malware

Posted on

Originally seen on securitynews on August 24, 2018

Over a billion worth of cryptocurrencies have been reportedly stolen this year so far and we continue to see reports of crypto theft daily. Every time a huge cyberheist is reported cryptocurrency prices slump but they remain attractive to cybercriminals looking to capitalize on its growth potential.

This week, the SonicWall Capture Labs Threat Research Team has come across a crypto-stealing malware which monitors the victim’s clipboard to watch out for cryptocurrency wallet addresses. Once detected, they will change the clipboard data with their own address. Unless the user is vigilant and carefully examines the address after they paste it, the transaction that happens after, will go to the cybercriminal’s address instead of the intended recipient.

Infection Cycle:

This malware purports to be an important document and uses the following filenames:

  • DOC_[*random numbers*].pdf
  • SCN_[*random numbers*].pdf
  • PDF_[*random numbers*].pdf

For more savvy users, looking at the file properties reveal that it pretends to be a text to speech application with an internal name of texttowav.exe.

It copies itself as drpbx.exe in the %APPDATA% directory. It also adds the following registry key to ensure persistence:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run drpbx %APPDATA%\drpbx\drpbx.exe

This malware was developed with Microsoft .NET framework and its assembly description shows it pretending to be a legitimate firefox file but misspelled “Mozzilla.”

To mislead the victim even more, upon execution it throws off a fake error.

During analysis, we noticed that this sample is packed using ConfuserEX and the main module is named “Bitcoinstealer” which establishes the real purpose of this malware.

Within its resource section is a subsection named “VanityAddresses.” This listed 10,000 different digital currency wallet addresses.

This malware’s method of stealing cryptocurrency is to monitor the clipboard data and match the contents using regex to identify whether a cryptocurrency wallet address has been copied, it then swaps that data with one from the 10,000 hardcoded addresses.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s