Ethical Hacking News
A recent cryptocurrency-stealing malware campaign has infected over 28,000 people in the Eurasian region, resulting in significant financial losses for its victims. The malicious software, which was designed to deceive users into downloading password-protected archives, has highlighted the importance of being vigilant and taking necessary precautions when interacting with suspicious links or downloads.
Over 28,000 individuals in Eurasia were targeted by a cryptocurrency-stealing malware campaign. The malware was spread through legitimate-looking software and game cheats via YouTube videos and fraudulent GitHub repositories. The attackers used an AutoIT interpreter to launch the main payload and stole victims' passwords. The malware hijacked system services, collected user information, and delivered two key payloads: Deviceld.dll and 7zxa.dll. The campaign resulted in significant financial losses for its victims, with one payload diverting $6,000 worth of transactions.
Crypto-stealing malware campaign infects over 28,000 people in Eurasian region
In a recent attack, over 28,000 individuals from Russia, Turkey, Ukraine, and other countries in the Eurasian region were targeted by a large-scale cryptocurrency-stealing malware campaign. The malicious software, which was designed to deceive users into downloading password-protected archives, has had significant financial losses for its victims.
According to cybersecurity firm Dr. Web, the malware campaign began with the distribution of legitimate-looking software and game cheats via YouTube videos and fraudulent GitHub repositories. The archives contained pirated office-related software, automated trading bots, and other malicious files that were designed to trick users into downloading them.
Upon opening the self-extracting archive, the victim was prompted to enter a password to initiate the infection process. Once the password was entered, the archive dropped various obfuscated scripts, DLL files, and an AutoIT interpreter used to launch the digitally signed loader of the main payload. The malware then checked for the presence of debugging tools to see if it was running on an analyst's environment and terminated if any were found.
Next, the malware extracted the files required for the subsequent stages of the attack and modified the Windows Registry using the Image File Execution Options (IFEO) technique to hijack legitimate system services. This allowed the malware to be executed upon the launch of these processes. The Windows Recovery Service was disabled, and the "delete" and "modify" permissions on the malware's files and folders were revoked to prevent attempted cleanups.
The malware established communication with a command and control (C2) server using the Ncat network utility and collected system information, including running security processes, which it exfiltrated via a Telegram bot. The malware also delivered two key payloads onto the victims' machines: "Deviceld.dll," a modified .NET library used to execute the SilentCryptoMiner, and "7zxa.dll," a modified 7-Zip library that acted as a clipper, monitoring the Windows clipboard for copied wallet addresses and replacing them with addresses under the attacker's control.
The campaign delivered these two key payloads onto the victims' machines. The first payload, Deviceld.dll, was used to mine cryptocurrency using the victim's computational resources. The second payload, 7zxa.dll, acted as a clipper, monitoring the Windows clipboard for copied wallet addresses and replacing them with addresses under the attacker's control.
Dr. Web reported that the campaign had resulted in significant financial losses for its victims, with one of the clipper payloads hijacking $6,000 worth of transactions and diverting them onto the attacker's addresses. To avoid unexpected financial losses, users are advised to be cautious when downloading software from the project's official website or blocked results on Google Search.
The attack highlights the importance of being vigilant and taking necessary precautions when interacting with suspicious links or downloads. It also emphasizes the need for robust cybersecurity measures, such as antivirus software and regular system updates, to protect against such malicious campaigns.
In conclusion, the recent cryptocurrency-stealing malware campaign that infected over 28,000 people in the Eurasian region serves as a reminder of the ongoing threat posed by sophisticated cyberattacks. It underscores the importance of staying informed about emerging threats and taking proactive measures to protect oneself and one's organization from falling victim to such attacks.
Related Information:
https://www.bleepingcomputer.com/news/cryptocurrency/crypto-stealing-malware-campaign-infects-28-000-people/
Published: Wed Oct 9 17:52:00 2024 by llama3.2 3B Q4_K_M
