Malware

Crypto investors under attack by new malware, reveals Cisco Talos

Since December 2022, the two malicious files — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the internet and stealing cryptocurrencies from unwary investors.

Anti-malware software Malwarebytes highlighted two new malicious computer programs propagated by unknown sources actively targeting crypto investors in a desktop environment. 

Since December 2022, the two malicious files in question — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the internet and stealing cryptocurrencies from unwary investors, revealed the threat intelligence research team, Cisco Talos. The campaign’s victims are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey and the Philippines, as shown below.

Victimology of the malicious campaign. Source: Cisco Talos

The malicious software work in partnership to swoop information stored in the user’s clipboard, which is usually a string of letters and numbers copied by the user. The infection then detects wallet addresses copied onto the clipboard and replaces them with a different address.

The attack relies on the user’s inattentiveness to the sender’s wallet address, which would send the cryptocurrencies to the unidentified attacker. With no obvious target, the attack spans individuals and small and large organizations.

Ransom notes shared by MortalKombat ransomware. Source: Cisco Talos

Once infected, the MortalKombat ransomware encrypts the user’s files and drops a ransom note with payment instructions, as shown above. Revealing the download links (URLs) associated with the attack campaign, Talos’ report stated:

“One of them reaches an attacker-controlled server via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware. According to Talos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the internet for exposed RDP port 3389.”

As explained by Malwarebytes, the “tag-team campaign” starts with a cryptocurrency-themed email containing a malicious attachment. The attachment runs a BAT file that helps download and execute the ransomware when opened.

Thanks to the early detection of malicious software with high potential, investors can proactively prevent this attack from impacting their financial well-being. As always, Cointelegraph advises investors to perform extensive due diligence before investing, while ensuring the official source of communications. Check out this Cointelegraph Magazine article to learn how to keep crypto assets safe.

Related: US Justice Department seizes website of prolific ransomware gang Hive

On the flip side, as ransomware victims continue to refuse extortion demands, ransomware revenues for attackers plummeted 40% to $456.8 million in 2022.

Total value extorted by ransomware attackers between 2017 and 2022. Source: Chainalysis

While revealing the information, Chainalysis noted that the figures don’t necessarily mean the number of attacks is down from the previous year.

German regulator warns of new banking and crypto malware ‘Godfather’

The “Godfather” malware is also known to target 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.

Financial authorities in Germany are raising the alarm amid the rapid spread of a new financial malware affecting banking and cryptocurrency applications.

Germany’s Federal Financial Supervisory Authority (BaFin) released an official statement on Jan. 9, warning consumers of “Godfather,” a malware collecting user data in banking and crypto apps.

BaFin emphasized that the new virus is targeting about 400 banking and crypto apps, including those operating in Germany. The Godfather malware attacks users by displaying fake websites of regular banking and crypto apps, stealing their login data. 

According to the regulator, it is yet to be determined how the malware attacks users’ devices. The malware is known to send push notifications to get the codes for two-factor authentication. “With this data, the cyber criminals may be able to gain access to consumers’ accounts and wallets,” BaFin noted.

The first warnings on Godfather surfaced in December, with reports suggesting that the malware was affecting Android devices and targeting users in 16 countries. Cybersecurity experts from Group-IB reportedly initially discovered the Godfather trojan in 2021, but the malware has undergone massive code upgrades and improvements and has seen a big spike in activity over the past few months.

Related: Nifty News: Fake Pokémon NFT game spreads malware, ‘Jai Ho’ singer to launch metaverse and more

According to the Group-IB cybersecurity experts, almost 50% of all apps targeted by Godfather are banking apps, with most of them coming from the United States. Germany is also among the most affected countries, alongside Turkey, Spain and Canada. The malware is also known to target 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.

Cryptojacking has emerged as one of the biggest types of attacks on crypto apps in recent years. According to forecasts from the cybersecurity lab Kaspersky, 2023 will see even more malware attacks, with the year likely to be marked by the “cyber epidemics with the biggest impact.”

Nifty News: Fake Pokémon NFT game spreads malware, ‘Jai Ho’ singer to launch metaverse and more

Software used to access computers remotely has been inserted in a phishing website fronting as an NFT card game for the popular Pokémon franchise.

Hackers hide malware in fake NFT game

A phishing website purporting to offer a Pokémon-branded nonfungible token (NFT) card game has been spreading malware to unsuspecting gamers, a cybersecurity firm has warned.

The website, which at the time of writing was still online, also claims to offer an NFT marketplace, with a link to buy tokens, and even an area to stake NFTs — all based on the popular Japanese media franchise.

However, an arm of the South Korean cybersecurity firm AhnLab warned the public about the website on Jan. 6, noting that instead of downloading agame, users were actually downloading a remote access tool that allows hackers to take control of their device.

A screenshot of the phishing website. The “Play on PC” link at the bottom of the image downloads the malware.

The tool, known as NetSupport Manager, would allow the attackers to remotely control the computer’s mouse and keyboard, access the system’s file management and history and even execute commands allowing them to install additional malware, the firm warned.

The public has been advised to only purchase or download applications from official websites and not open attachments in suspicious emails.

The composer behind ‘Jai Ho’ to spin up metaverse

Allah Rakha Rahman, the Indian composer and singer known for the Grammy Award-winning song “Jai Ho,” is launching his own metaverse platform for artists and their music.

Rahman tweeted on Jan. 6 that his “Katraar” metaverse “is one step closer to launching.” He attached a video of him explaining the upcoming platform, which will use “decentralized technology,” according to its website.

In the video, Rahman said his vision for the platform was to “bring in new talents, technologies, and […] direct revenue for artists,” with one revenue stream seemingly the integration of NFTs.

“Right now we are working with the HBAR Foundation to do many cool things, one is bringing a lot of NFTs.”

The HBAR Foundation is a not-for-profit independent organization of the distributed ledger firm Hedera Hashgraph, the creator of the ledger and cryptocurrency Hedera (HBAR).

Rahman added there’s also “an undisclosed project based on virtual beings” but did not provide further details.

2023’s first week saw NFT sales jump 26%

Post-Christmas blues appears to have worn off, at least for the NFT market, with sales volume jumping nearly 26% in the first week of 2023, compared to the prior week.

According to data from market metrics aggregator Cryptoslam, in the seven days that ended Jan. 7, NFT sales volume was over $211.4 million, with around 1.2 million NFTs transacted between over 400,000 buyers.

The number of buyers increased by 17% on the week, but transactions only grew by just over 2.5%.

Ethereum-based NFTs remained popular, with sales on the blockchain up nearly 26%.

The top three collections for the week were similarly Ethereum-native, Yuga Labs’ Bored Ape Yacht Club was in first place with nearly $19 million traded, up nearly 50% in terms of volume.

The Mutant Ape Yacht Club collection was second, with an increase of 80% to hit $14 million in sales volume. Azuki was third, with sales surging 132% to $12.7 million.

Every frame of feature-length film minted as an NFT

The producers of the 2022 thriller film The Rideshare Killer have released nearly 120,000 unique NFTs in what they’ve dubbed the “first ‘every frame minted’ (EFM) film.”

Exactly 119,170 NFTs each representing one frame of the 83-minute long film shot in 24 frames per second were minted on the Polygon blockchain, according to a Jan. 5 press release.

The film’s producer, Tony Greenberg, said he believed tha NFTs “will change the independent film landscape” as they offer a “potentially appreciating collectible” to fans and a “sustainable revenue source for artists.”

The film may have to rely on its NFT sales to break even if its reviews are anything to go by.

It currently has a rating of 4/10 across eight reviews on the online film database and reviews website IMDb, with one critic saying the movie “should never have been made.”

Other Nifty News

YouTuber and sports beverage merchant Logan Paul has made a U-turn on his threat to sue Stephen “Coffeezilla” Findeisen for defamation over Findeisen’s allegations that Paul’s NFT project CryptoZoo was a scam.

NFT marketplace SuperRare has gutted 30% of its staff, with CEO John Crain saying it “over-hired” during the crypto bull market. Crain added the company was “facing headwinds” due to the ongoing crypto winter.

Cybercrooks to ditch BTC as regulation and tracking improves: Kaspersky

The cybersecurity firm predicted that crypto-related cybercrime won’t slow down in 2023, but it will move on from Bitcoin as a source of payment.

Bitcoin (BTC) is forecasted to be a less enticing payment choice by cybercriminals as regulations and tracking technologies improve, thwarting their ability to safely move funds.

Cybersecurity firm Kaspersky in a Nov. 22 report noted that ransomware negotiations and payments would rely less on Bitcoin as a transfer of value as an increase in digital asset regulations and tracking technologies will force cybercriminals to rotate away from Bitcoin and into other methods.

As reported by Cointelegraph, ransomware payments using crypto topped $600 million in 2021, and some of the biggest heists, such as the Colonial Pipeline attack, demanded BTC as a ransom.

Kaspersky also noted that crypto scams have increased along with the greater adoption of digital assets. However, it said that people have become more aware of crypto and are less likely to fall for primitive scams such as Elon Musk-deepfake videos promising huge crypto returns.

It predicted malicious actors will continue trying to steal funds through fake initial token offerings and nonfungible tokens (NFTs), and crypto-based theft such as smart contract exploits will become more advanced and widespread.

2022 has largely been a year of bridge exploits with more than $2.5 billion already pilfered from them as reported by Cointelegraph.

The report also noted that malware loaders will become hot property on hacker forums as they are harder to detect. Kaspersky predicted that ransomware attackers may shift from destructive financial activity to more politically-based demands.

Related: Hackers keeping stolen crypto: What is the long-term solution?

Back to the present, the report noted an exponential rise in 2021 and 2022 of “infostealers” — malicious programs that gather information such as logins.

Cryptojacking and phishing attacks have also increased in 2022 as cybercriminals employ social engineering to lure their victims.

Cryptojacking involves injecting malware into a system to steal or mine digital assets. Phishing is a technique using targeted emails or messages to lure a victim into revealing personal information or clicking a malicious link.

Fake Solana wallet security update is trying to steal your crypto: Reports

Password-stealing malware is being spread by hackers through NFT airdrops purporting to be Solana Phantom security updates.

For the last two weeks, unknown hackers have been airdropping nonfungible tokens (NFTs) to Solana cryptocurrency users masquerading as a new Phantom wallet security update. However, instead of an update, it’s malware designed to steal their crypto.

According to BleepingComputer, the hackers are claiming to be from the Phantom team and using NFTS titled PHANTOMUPDATE.COM or UPDATEPHANTOM.COM.

After opening the NFT, users are told a new security update has been issued for the Phantom wallet and can be downloaded by using the enclosed link or the listed website.

To add urgency, the message claims that failing to download the fake security update, “may result in a loss of funds due to hackers exploiting the Solana network.”

The fake NFTs being used to spread malware. Source: BleepingComputer

The urgency piece is likely related to the Solana-based wallet hack, which saw roughly $8 million stolen from 8,000 wallets in August, including those of Phantom wallet users. The security exploit was later linked to vulnerabilities within the Solana-based Web3 wallet service Slope. 

Should a victim follow the fake Phantom update instructions, the process ends with malware being downloaded from GitHub which attempts to steal browser information, history, cookies, passwords, SSH keys and other information from the user. 

Users who may have inadvertently fallen prey to this scam are recommended to take security precautions such as scanning their computer with antivirus software, securing crypto assets and changing passwords on sensitive platforms such as bank accounts and crypto trading platforms.

Related: Blockchain security firm warns of new MetaMask phishing campaign

In the past, similar malware-spreading campaigns have employed malware dubbed Mars Stealer to steal crypto from unsuspecting users.

An upgrade of the information-stealing Oski trojan of 2019, Mars Stealer targets more than 40 browser-based crypto wallets, along with popular two-factor authentication (2FA) extensions, with a grabber function that steals users’ private keys.

Sneaky fake Google Translate app installs crypto miner on 112,000 PCs

Dressed up as legitimate desktop software, this sneaky malware has infected thousands of machines across 11 countries, forcing them to unknowingly mine Monero (XMR).

Crypto mining malware has been sneakily invading hundreds of thousands of computers around the world since 2019, often masquerading as legitimate programs such as Google Translate, new research has found. 

In a Monday report by Check Point Research (CPR), a research team for American-Israeli cybersecurity provider, Check Point Software Technologies revealed the malware has been flying under the radar for years, thanks partly to its insidious design which delays installing the crypto mining malware for weeks after the initial software download.

Linked to a Turkish-based-speaking software developer claiming to offer “free and safe software,” the malware program invades PCs through counterfeit desktop versions of popular apps such as YouTube Music, Google Translate and Microsoft Translate.

Once a scheduled task mechanism triggers the malware installation process, it steadily goes through several steps over several days, ending with a stealth Monero (XMR) crypto mining operation being set up.

The cybersecurity firm said that the Turkish-based crypto miner dubbed ‘Nitrokod’ has infected machines across 11 countries.

According to CPR, popular software downloading sites like Softpedia and Uptodown had forgeries available under the publisher name Nitrokod INC. 

Some of the programs had been downloaded hundreds of thousands of times, such as the fake desktop version of Google Translate on Softpedia, which even had nearly a thousand reviews, averaging a star score of 9.3 out of 10, despite Google not having an official desktop version for that program.

Screenshot by Check Point Research of the alleged fake app

According to Check Point Software Technologies, offering a desktop version of apps is a key part of the scam.

Most programs offered by Nitrokod do not have a desktop version, making the counterfeit software appealing to users who think they’ve found a program unavailable anywhere else.

According to Maya Horowitz, vice president of research at Check Point Software, the malware-riddled fakes are also available “by a simple web search.”

“What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long.”

As of writing, Nitrokod’s imitation Google Translate Desktop program remains one of the main search results.

Design helps avoid detection

The malware is particularly tricky to detect, as even when a user launches the sham software, they remain none the wiser as the fake apps can also mimic the same functions that the legitimate app provides.

Most of the hacker’s programs are easily built from the official web pages using a Chromium-based framework, allowing them to spread functional programs loaded with malware without developing them from the ground up.

Related: 8 sneaky crypto scams on Twitter right now

So far, over one hundred thousand people across Israel, Germany, the United Kingdom, the United States, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia and Poland have all fallen prey to the malware.

To avoid getting scammed by this malware and others like it, Horowitz, says several basic security tips can help reduce the risk.

“Beware of lookalike domains, spelling errors in websites, and unfamiliar email senders. Only download software only from authorised, known publishers or vendors and ensure your endpoint security is up to date and provides comprehensive protection.”

GitHub faces widespread malware attacks affecting projects, including crypto

The developer who found the vulnerability requested developers sign their revisions with the GPG key to ensure all their revisions on the project can be verified.

Major developer platform GitHub faced a widespread malware attack and reported 35,000 “code hits” on a day that saw thousands of Solana-based wallets drained for millions of dollars.

The widespread attack was highlighted by GitHub developer Stephen Lucy, who first reported the incident earlier on Wednesday. The developer came across the issue while reviewing a project he found on a Google search.

So far, various projects — from crypto, Golang, Python, JavaScript, Bash, Docker and Kubernetes — have been found to be affected by the attack. The malware attack is targeted at the docker images, install docs and NPM script, which is a convenient way to bundle common shell commands for a project.

To dupe developers and access critical data, the attacker first creates a fake repository (a repository contains all of the project’s files and each file’s revision history) and pushes clones of legit projects to GitHub. For example, the following two snapshots show this legit crypto miner project and its clone.

Original crypto mining project. Source: Github
Cloned crypto mining project. Source: Github

Many of these clone repositories were pushed as “pull requests,” which let developers tell others about changes they have pushed to a branch in a repository on GitHub.

Related: Nomad reportedly ignored security vulnerability that led to $190M exploit

Once the developer falls prey to the malware attack, the entire environment variable (ENV) of the script, application or laptop (Electron apps) is sent to the attacker’s server. The ENV includes security keys, Amazon Web Services access keys, crypto keys and much more.

The developer has reported the issue to GitHub and advised developers to GPG-sign their revisions made to the repository. GPG keys add an extra layer of security to GitHub accounts and software projects by providing a way of verifying all revisions come from a trusted source.

Blockchain security firm warns of new MetaMask phishing campaign

Blockchain security firm Halborn has warned users of the latest phishing emails doing the rounds.

A cybersecurity firm has issued warnings over a new phishing campaign targeting users of the popular crypto wallet MetaMask.

In a Thursday post written by Halborn’s technical education specialist Luis Lubeck, the active phishing campaign used emails to target MetaMask users and trick them into giving out their passphrase. 

The firm analyzed scam emails it received in late July to warn users of the new scam. Halborn noted that at an initial glance, the email looks authentic with a MetaMask header and logo and with messages that tell users to comply with Know Your Customer (KYC) regulations and how to verify their wallets.

However, Halborn also noted there are several red flags within the message. Spelling errors and a fake sender’s email address were two of the most obvious. Furthermore, a fake domain called metamaks.auction was used to send the phishing emails.

Phishing attacks are social engineering attacks using targeted emails to lure victims into revealing more personal data or clicking links to malicious websites that attempt to steal crypto.

There was also no personalization in the message, the firm noted, which is another warning sign. Hovering over the call to action button reveals the malicious link to a fake website which prompts users to enter their seed phrases before redirecting to MetaMask to empty their crypto wallets.

Halborn, which raised $90 million in a Series A round in July, was founded in 2019 by ethical hackers offering blockchain and cybersecurity services.

In June, Halborn researchers discovered a case where a user’s private keys could be found unencrypted on a disk in a compromised computer. MetaMask patched its extension versions 10.11.3 and later following the discovery.

However, there was no mention of the new email phishing threat on MetaMask’s Twitter feed at the time of writing.

Related: Phishing risks escalate as Celsius confirms client emails leaked

Last week, Celsius users were warned of a phishing threat following the leak of customer emails by a third-party vendor employee.

In late July, security researchers warned of a new malware strain called Luca Stealer appearing in the wild. The information stealer has been written in the Rust programming language and targets Web3 infrastructure such as crypto wallets. Similar Malware called Mars Stealer was discovered targeting MetaMask wallets in February.