Cyren sounds siren over Bitcoin siphon scam
US-based internet security firm Cyren has discovered an outbreak of malware which is stealing passwords as well as Bitcoin from cryptocurrency wallets on PCs.
Avi Turiel, director of threat research at Cyren, says in a blog post this “versatile” keylogger malware is being delivered as an attachment to phony bank transfer emails, which inform the recipient that they have received a deposit. The emails are originating primarily from bots in the US and Singapore, and are branded as coming from several different banks, including Emirates NDB and DBS.
The email subjects are typically financial transfer-related, including online wire transfer payment notification, payment update and Swift copy. The attachments are all named with variations of Swift codes including swift copy_pdf.ace, swift copy.zip and swift_copy.pdf.gz
Turiel says the email attachment is an executable file, most typically with “PDF” in the filename (Swift_Copy.Pdf.exe). Cyren researchers report that after execution it deletes itself and creates a file called “filename.vbs” in the Windows start-up folder. Every time the “victim” restarts or logs into his or her PC after signing out, this script runs, executing the malware itself – “filename.exe” located in AppData\Local\Temp\subfolder.
The malware queries the registry for passwords and other sensitive information related to many kinds of software. It especially focuses on FTP and web browsing software and other software that could have credential information. It gathers information from all the web browsers on the computer (stored passwords and usernames, history, cookies, cache etc.) and email clients as well.
The malware also searches the computer for crypto-currency wallets to steal. According to Turiel, among the wallets it tries to find are: Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin and Zetacoin.
Turiel adds that the malware creates “hooks” for both the keyboard and the mouse. The API windows “GetAsyncKeyState” is called which indicates that the malware is logging every keystroke (keylogger).
Last year, Bitcoin found itself under scrutiny due to a variety of mishaps.
Customers of Valartis Bank in Liechtenstein were held to Bitcoin ransom by hackers.
Mexico’s third-largest Bitcoin exchange, MeXBT, went offline without any prior warning – leaving its users confused.
It also all went wrong in Hong Kong as about $72 million worth of Bitcoin was stolen from the Bitfinex exchange platform.