HQ/EMEAFind out how we can help your business
A large-scale crypto-stealing malware campaign has already affected over 28,000 individuals in various Eurasian countries, including Russia, Turkey, and Ukraine.
According to a report, the cryptocurrency-stealing malware campaign disguises itself as legitimate software promoted through YouTube videos and fake GitHub repositories. These promotions are the vector for the malware, in which the victims can download password-protected archives that start the infection process.
The researchers explained that the campaign uses attractive products and workarounds, such as pirated office-related software, game cheats and hacks, and even automated trading bots to trick users into downloading malicious files.
The crypto-stealing malware campaign has already compromised thousands of users.
A recent tally of the compromised individuals of this new crypto-stealing malware campaign has already reached 28,000 people. In addition, most of these victims came from Russia, signifying that cryptocurrency enthusiasts from the country are the most susceptible to this tactic.
Further research also showed a significant number of individuals affected by the attack in countries such as Belarus, Kazakhstan, Ukraine, Kyrgyzstan, Uzbekistan, and Turkey.
Investigations explained that the infection process starts with opening a self-extracting archive that can bypass an AV solution when downloaded. Once the victim enters the provided password, the archive drops various obfuscated scripts, DLL files, and an AutoIT interpreter to launch the primary payload’s digitally signed loader.
Subsequently, the malware will check for the presence of debugging tools to see if it’s running in an analyst-controlled environment. If it lands on such infrastructure, it will terminate to avoid analysis.
Next, it extracts the files required for the subsequent attack stages and leverages the Image File Execution Options technique to modify the Windows Registry to establish persistence.
Hence, the malware campaign hijacks legitimate Windows system services and Chrome and Edge update processes with malicious ones to execute the malicious files upon launching these processes.
To prevent attempted cleanups, the attack process disables the Windows Recovery Service and revokes deleting and modifying permissions on the malware’s files and folders. Lastly, the attack employs the Ncat network utility to establish communication with an attacker-controlled C2 server.
The latest research states that the crypto-stealing malware in this attack can also be an infostealer since it can collect system information, including running security processes, which it exfiltrates via a Telegram bot.
