Home Tags Malware
A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America. The news was reported by technology news outlet The Next Web on March 28. Based on research from prominent cybercrime analytics firm Group-IB, this is reportedly the first time the Trojan — now named “Gustuff” — has been reported or analyzed. The malware is described as being designed for mass infection and is spread by SMS messages with links to load malicious Android package kit files. The malware’s creators have reportedly created “Automatic Transfer Systems” that aim to expedite and scale the thefts by triggering autofills of payment fields for legitimate Android apps to maliciously reroute transfers to the hackers. The app is purported..
According to a cybersecurity company, Israeli fintech companies are being targeted by malware. Israeli fintech companies that work with forex and crypto trading are being targeted by malware, according to a blog post from threat research department Unit 42 of cybersecurity company Palo Alto Networks published on March 19. Per the report, Unit 42 first encountered an older version of the malware in question, Cardinal RAT, in 2017. Since April 2017, Cardinal RAT has been identified when examining attacks against two Israel-based fintech companies engaged in developing forex and crypto trading software. The software is a Remote Access Trojan (RAT), which allows the attacker to remotely take control of the system. The updates applied to the malware aim to evade detection and hinder its analysis. After explaining the obfuscation techniques employed by the malware, the researchers explain that the payload itself does not vary significantly compared to the original in terms of modus operandi..
The malicious Google Chrome web extension was tied to a fake token airdrop from cryptocurrency exchange Huobi. A Google Chrome browser extension tricking users into participating in a fake airdrop from cryptocurrency exchange Huobi claimed over 200 victims, a security researcher reported in a blog post on March 14. The extension for Chrome web browser, with the name NoCoin, gained 230 downloads before Google deleted it, according to Harry Denley, who runs cryptocurrency scam database EtherscamDB. Denley noted that hackers had purposely disguised the malicious extension to look like a tool protecting users from cryptocurrency malware or so-called cryptojacking. “From the start, it looked like it did what it should — it was detected [sic] various CryptoJacking scripts […] and there was a nice UI to let me know it was doing its job,” he explained in the blog post. Behind the facade, however, it became apparent the extension requests the input of private keys from popular wallet interface..
A new attack uses a combination of known tools to target victims and use their hardware to mine Monero. A new hacking tool is propagating throughout the online community in an attempt to install cryptocurrency mining malware, researchers at security intelligence firm Trend Micro confirmed in a blog post on Feb. 20. Detected at the end of January, the tool is a combination of extant threats which previously targeted Microsoft Windows users: MIMIKATZ and RADMIN. “Between the last week of January to February, we noticed an increase in hack tool installation attempts that dropped seemingly random files into the Windows directory,” the blog post reads: “Initially appearing unrelated, analysis showed the final payload to be a Monero (XMR) cryptocurrency-mining malware variant[.]” “Using MIMIKATZ and RADMIN for propagation while exploiting critical vulnerabilities enables malicious actors to spread malware with worm-like behavior to target specific systems in industries without being immedia..
An app masquerading as DApp MetaMask contained malware that aimed to steal coins by replacing wallet addresses. Decentralized app (DApp) MetaMask is facing fresh problems from cryptocurrency scammers after malware impersonating the tool appeared on Google Play, cybersecurity company Eset reported Feb. 8. The malware, which replaces computer clipboard information in an attempt to steal cryptocurrency, was removed by Google at the beginning of the month after a tip-off from Eset researchers. Known as a ‘Clipper,’ the malware replaces copied cryptocurrency wallet addresses with an address belonging to an attacker in the hope funds will be sent elsewhere without the user noticing. The discovery marked the first time such malware had made it past Google’s vetting procedures, the security firm notes. “The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask,” Eset explained, continuing:..
The modified Shellbot trojan is thought to have originated from a Romanian hacker collective. More cryptocurrency mining malware continues to target major corporations, hijacking victims to mine altcoin Monero (XMR), new research warned on Feb. 5. Findings from the Special Ops team at United States cybersecurity company JASK reveal a modified version of trojan Shellbot has become increasingly prevalent since its debut in November last year. The perpetrators, the company says, appear to be a Romanian hacker group known as Outlaw, a translation of the Romanian word “haiduc,” which also lends its name to one of the payloads the malware installs. “The toolkit observed [...] in use by the attacker contains three primary components: IRC (Internet Relay Chat) botware for Command and Control (C2), a revenue stream via Monero mining, and a popular scan and brute force tool, haiduc,” JASK confirmed. The latest threat specifically targets users of devices running Linux. In mid-January, research ..
The malware seeks to bypass multi-factor authentication by stealing a range of data, says Palo Alto Networks. A new form of malware steals cookies from cryptocurrency exchanges and other data in an attempt to hack user accounts, cybersecurity research team Palo Alto Networks reported on Jan. 31. CookieMiner, a progression of OSX.DarthMiner, is a malware targets Mac users, stealing saved Google Chrome passwords, iPhone SMS messages and iTunes backups on tethered machines and more. Along with the cookies, the goal of the malware is to gain access to cryptocurrency exchange accounts. According to Palo Alto, the hackers assume a combination of the stolen data would allow them to bypass the multi-layer authentication that many exchange users set up to provide additional security. “If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves,” the firm summarized. As its name suggests, t..
A new cryptojacking malware reportedly has the ability to disable cloud-based security measures to avoid detection on Linux-based servers. A new cryptojacking malware has the ability to disable cloud-based security measures to avoid detection on Linux servers, research by information security company Palo Alto Networks Jan. 17 reveals. The malware in question mines Monero (XMR) and is reportedly a modified version of one used by the so-called “Rocke” group, originally discovered by cybersecurity firm Talos in August last year. According to the research, one of the first things that the malware does is check for other cryptocurrency mining processes and add firewall rules to block any other cryptojacking malware. The virus reportedly also searches for cloud security services by Chinese internet giants Tencent and Alibaba and neutralizes them in an attempt to remain concealed. Ryan Olson, vice president for threat intelligence at Palo Alto Networks explained: “This evolution indicates t..
Latest crypto-related malware hides in a movie file on The Pirate Bay and targets specifically Windows PCs, Bleeping Computer reports. New malware posing as a movie file from torrent website The Pirate Bay (TPB) can manipulate web pages and replace Bitcoin (BTC) and Ether (ETH) addresses, computing magazine Bleeping Computer reported Jan. 12. The malware — originally thought to inject advertising on Google and in search results — in fact performs multiple actions, some of which were discovered by the publication’s own researcher Lawrence Abrams. “What appeared to be an ad-injector into the main Google search page turned out to be only the tip of the iceberg,” the researchers warned. The file containing malicious code poses as a movie file on TPB, specifically for the movie The Girl in the Spider's Web. In reality, along with ads and manipulating search results to show certain links first, the malware is also able to swap out cryptocurrency wallet addresses for ones owned by the a..
Three strains of crypto mining malware have topped the latest Global Threat Index from Israeli cybersecurity firm Check Point. Three strains of crypto mining malware have topped the latest Global Threat Index from Israeli cybersecurity firm Check Point, according to a press release published on Jan. 14. Check Point Software Technologies Ltd. is a security solution provider for governments and enterprises globally, with over 100,000 organizations reported to be currently using its security management system. As reported, stealth crypto mining attacks — also known as cryptojacking — work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Check Point’s Global Threat Index for December 2018, the top three most wanted malware strains were all cryptojacking-related — with Coinhive, a web browser-based Monero (XMR) mining code — sealing the top spot for the 13th consecutive month. Ranked second and..