A New Malicious Campaign Whip Around $60,000 of Bitcoin




July 2018, saw the reports of a recently discovered malicious campaign by the Fortiguard Labs. The campaign "Bitcoin Stealer" is as of now held responsible of stealing roughly $60,000 worth in Bitcoin.

The researchers from the FortiGuard Labs initially ran over a threat that at first coordinated a few tenets particular to the Jigsaw ransom ware back in April 2018, yet later on after a considerably more critical look it was revealed that the threat, which contained the assembly name "BitcoinStealer.exe," did not figure like a ransom ware at all.

As unlike to ransom ware, the Bitcoin Stealer rather used an executable to screen the contaminated PC's clipboard content for indications of a bitcoin address. When it finds one of these addresses, the malware at that point replaces that replicated bitcoin address with an alternate one containing similar strings at both the start and the end of that wallet address.

By using this technique, the malware basically mixes itself specifically into bitcoin transactions and after that, halfwit users into transferring cryptocurrency to the wallet of the cybercriminal utilizing Bitcoin Stealer.

As indicated by Techopedia, these stealing programs are cases of clipboard hijacking, an attack strategy through which attackers generally change clipboard content to guide browser users to a malignant website.The Programmers however, are additionally known to utilize a strategy called "pastejacking" to meddle with commands replicated from a web browser and paste into the terminal.

The question though that arises now is thusly aimed at the security specialists with respect to whether there will be sufficient insurance given against such episodes of clipboard modification attacks as digital attackers indeed have a long history of targeting clipboards in order to steal cryptocurrency or redirect users to malware.


Malware that hijacks clipboard monitoring over 2.3 million bitcoin addresses


Bleeping Computer today revealed that they discovered a type of “clipboard hijacker” malware that monitors over 2.3 million bitcoin addresses.

A clipboard hijacker malware works by tricking users by switching the bitcoin address from their clipboard to another address that the attacker control. Since bitcoin addresses are long and hard to remember, this method works easily for hackers since users simply copy paste addresses from one application to another when sending cryptocoins.

The malware reportedly comes as a part of the All-Radio 4.27 Portable malware affecting Windows computers and monitors the Windows clipboard for a bitcoin address. Unless the user double-checks the address after pasting it, the bitcoin will go to the attackers’ address.

“While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses,” their report on the malware read. They also posted a video showing how the malware works: 


Bitcoin users are advised to always double-check the address before making a transaction and to have a trusted antivirus program installed on their device.


Lazarus Hacking Group back with new hacking campaign targeting banks and bitcoin users

The North Korean Lazarus Hacking Group, which was believed to be behind the WannaCry ransomware attack last year, has returned with a new campaign targeting financial institutions and bitcoin users.

The new campaign, as discovered by the McAfee Advanced Threat Research (ATR) analysts and dubbed as “HaoBao”, was termed by McAfee as an “aggressive Bitcoin-stealing phishing campaign” that uses “sophisticated malware with long-term impact.”

It resumes Lazarus’ phishing emails, posed as job recruiters, from before but now targets global banks and bitcoin users.

It works by sending malicious documents as attachments to unsuspecting targets, who open the malicious document and unknowingly allow the malware to scan for Bitcoin activity, after which it establishes an implant for long-term data gathering on being successful.

According to the firm, McAfee ATR first discovered of the malware on January 15th, when they spotted a malicious document passed off as a job recruitment for a Business Development Executive at a multi-national bank based in Hong Kong.

More information can be found in a blog by McAfee regarding the campaign.

While the form of attack seems nothing new, the two-stage attack malware has surprised researchers.

“This campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence,” said McAfee analyst Ryan Sherstobitoff. “The implants contain a hardcoded word ‘haobao’ that is used as a switch when executing from the Visual Basic macro.”

According to Sherstobitoff, the dropped implants have “never been seen before in the wild” and were not used in the last campaign either.

He believes that, because of a lack of solid regulations in respect to cryptocurrencies and the fact that sanctions against North Korea are difficult to enforce with digital currencies than with hard currency, such attacks will only grow — which could spell bad news for bitcoin users.

Aside from the link to the WannaCry attack, Lazarus is also believed to be linked to the Sony hack in 2014 and the attack on South Korean cryptocurrency exchanges last year.

Facebook messenger falls victim to an anonymous crypto cousin of Bitcoin


With the booming value of digital currency, numerous hackers are rolling out schemes to unwittingly trap or trick more likely, the regular web users into mining for them. The most recent scheme to hoodwink people into mining cryptographic money is exploiting Facebook Messenger by means of some shrewd malware.The malware being distributed by means of Messenger is mining Monero, a contrasting option to the wildly important and volatile Bitcoin. The software is a type of a modified version of the open source mining program XMRig which the bot sets to start automatically.


The bot was detected by cyber security firm Trend Micro, which says "Digimine" is intended to resemble a video file. Security researchers likewise said that "Digmine" is focusing on as many machines as could be allowed, with a specific end goal to earn monero (the alternative to bitcoin) for its makers.

It is spread via a fake video that seems to have been sent from somebody from within the victim's friend list. Once opened the 'video' installs a malevolent code which then proceeds to compromise the desktop version of Facebook Messenger when used with Google Chrome.The hackers at that point gain an off the record access into the users Facebook account where they can get to the contacts lists to additionally spread the malware. The profits made from this illegal computer jacking are sent to the attacker's encrypted Monero wallet.


"If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends," the researchers said. "The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line."

 However this isn't the first or last time mining malware has been utilized to exploit systems, back in October a malignant program called Coinhive was installed into various compromised applications on Google Play.

In a time where on one hand hackers are constantly hijacking devices to mine cryptographic money and are becoming increasingly regular as there is a rapid increase in the value of the digital currencies in the present market, extra caution is thoroughly recommended for the heavy users of social media.



Bitcoin-Mining android malware found on Google Play Store

No matter how much Security mechanism Google try to implement to keep the malware from getting placed in Google Play store, Cyber Criminals are still able to upload their malicious apps.

We recently learned a 'fake' android anti-virus application found on Play Store and tricked more than 10,000 users into buying it.  But, Google which doesn't want to lose its reputation gave refund and $5 promo credit to those individuals scammed by this app.

Now, Researchers from Security firm LookOut have spotted another set of malicious apps on Google's Play store which turns the infected devices into a distributed bitcoin mining system.

Dubbed as 'BadLepricon', the malware disguise itself as a Live wallpaper app for android.  These five malicious apps had been downloaded between 100-500 times before Google removed them.

It seems like cybercriminals' interest in using the infected android devices to mine cryptocurrencies is increasing day by day.

Last month, LookOut reported that CoinKrypt malware hijacked mobile phones in order to use it to generate digital currency.  Few days back, TrendMicro also discovered a Java RAT which is capable of abusing the android devices to mine Litecoin.

Bitcoin stealing Mac malware found to be hosted on Download.com and MacUpdate.com

Image Credits: ThreatPost.
Another variant of the recently discovered Mac Trojan "OSX/CoinThief" is found to be hosted on two popular download websites Download.com and MacUpdate.com.

CoinThief malware is designed to steal Bitcoins login credentials from victim as well as Mac's username and UUID(unique identifier), also collects information about the list of Bitcoin related apps installed on the system.

Few days back, SecureMac spotted this Trojan is being hosted under the name of "Stealthbit" on GitHub and downloaded by hundreds of users.  One user from reddit also pointed out the similarity between an one year old fake bitcoin related app "BitVanity" and stealthbit.

Now, experts at SecureMac have spotted one more variant being hosted under the name of "Bitcoin Ticker TTM" and "Litecoin Ticker" on popular download sites.  These app names appear to have been taken from legitimate apps in the Mac app store.

This version also installs fake browser extension called as Pop-up Blocker in Chrome, safari and firefox.  The malicious extension attempts to sniff on the web traffic to steal  bitcoin login credentials.  It will communicate with the background process and send collected data to a remote server.

SecureMac has explained how to check whether malware is installed on your system and how to remove this CoinThief malware.

The developer of legitimate Bitcoin Ticker TTM app said he has no connection with download.com & Macupdate.com and recommends users to download the app from Mac app store.

StealthBit: New malware targeting Apple Mac OS X steals Bitcoins

A new Trojan Horse targeting Apple Mac OS X spies on web traffic of users and attempt to steal Bitcoins.  SecureMac says the malware referred as "OSX/CoinThief.A" is found in the wild.  Several users have reported that their Bitcoins have been stolen.

The malware hosted in Github with the name "StealthBit" disguising itself as an app to send and receive payments on Bitcoin Stealth Addresses.  A link to this project had also been posted in reddit  inciting users to download the app and have been voted by 100 people. 

The project had source code as well as a pre-compiled binary file.  Researchers say the binary file didn't match with the copy generated from source code. Those who installed the pre-compiled version of the app likely to be infected by this malware.

One user from reddit reported that his 20 Bitcoins(current value is around $10k) have been stolen by this malware app.

"I foolishly installed 'StealthBit' Anyone else find this to be a virus? The Post is still online.. I found 1 comment suggesting the possibility. https://pay.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/" The user posted in the reddit.

Upon running the app for the first time, it installs browser extensions for Safari and Google Chrome and runs continually a program in background that looking for Bitcoin Wallet login credentials. The malware then steals Bitcoin login credentials, username and Unique identifier of infected Mac.

At the time of writing, the malicious project have been removed from the GitHub. 

It appears this is not the first time Mac users being fooled such kind of malicious apps.  One user shared his experience that he was scammed by similar app called "Bitvanity" which was also hosted in Github, stole 20 BTC from his account.

The user also has pointed out interesting facts about these two projects- The "StealthBit" hosted by "Thomas Revor" and "Bitvanity" was hosted by "Trevorscool".

Fake Facebook page serves Fake Flash player containing Miner

Now a days, Cyber Criminals have more interest in Bitcoins and Mining than the victim's information. Here is another example that shows the interest of cybercriminals.  


Security Researcher at MalwareBytes has come across a fake facebook video page that displays a message "An update for Youtube flash player is needed" and downloads fake flash player file.


Once user opened the fake flash player, it drops a couple of executable files namely "control.exe" and "svhost.exe".

Svchost.exe attempts to join a P2Pool - a decentralized Bitcoin mining pool that works by creating a peer-to-peer network of miner nodes.  However, it failed to connect.  The dropped miner is being detected as PUP.BitCoinMiner.

Users are always recommended to download the software from trusted and directly from the software provider. 

Citadel Malware targets Bitcoin users, takes screenshots of browsers


Virtual currency Bitcoin become the most hot topic in the Internet after its value recently reached unbelievable level.

We recently aware that cyber criminals breached Bitcoin related websites to steal the Bitcoins.  There are also malware that will install Bitcoin Miner in victim's machine(eg: ZeroAccess).

Trusteer’s Security team have come across a new variant of Citadel malware which targets Bitcoin users capable of capturing screenshots of victim's browser whenever they visit Bitcoin related websites.

It also targets other virtual currency related websites such as Yandex money(money-yandex.ru), Webmoney.ru, QIWI.ru, Perfect Money(perfectmoney.com).