Snippet from report ...... Wallet theft In Jan

Message Board

Previous

| Next

Post# of 82672

(Total Views: 413)

Posted On: 10/12/2018 4:22:14 PM

Posted By: gimli

Re: gimli #39939

Snippet from report ......

Quote:
Wallet theft
In January threat actors were discovered circumventing
internet-facing mining hosts and changing the wallet
addresses on the hosts to an address under the
actors’ control. Cybercriminals made the wallet swap
by bypassing the management port of the popular
mining software Claymore Miner, which listens by
default on port 3333. The malware, Satori.Coin.Robber,
is a successor to the well-known Satori botnet, which
wreaked havoc in late 2017 on Internet of Things devices.
This variant uses a hardcoded IP address for control
server traffic, with most of the IPs scanning for potential
targets in South Korea. In addition, the malware author
leaves a note behind, stating that the bot is not malicious
and that he can be contacted via email.
Cybercriminals have even repurposed other known
techniques and tailored them for cryptocurrency
attacks. An attack discovered in late 2017 replaced
digital wallets in a victim’s clipboard. While scraping data
and replacing content is not new, these attackers were
specifically after cryptocurrency. The CryptoShuffler
Trojan, which attacks clipboards, has been in operation
since 2016 and targets a range of digital currencies,
including Bitcoin, Dogecoin, Litecoin, Dash, Ethereum,
Monero, and Zcash. The same author also released the
clipboard-targeting Trojan Evrial. Each Trojan sits on a
victim’s computer waiting for strings that resemble a
cryptocurrency address and replaces the address with
one under the attacker’s control. This technique can
be quite profitable—substituting the digital wallet has
netted more than $140,000 for CryptoShuffler.
Just because new malware may use old tricks does
not mean old malware cannot change its behavior.
Banking Trojans also target cryptocurrencies. Two in
particular appeared in 2016. The infamous banking
Trojan Dridex added wallet-stealing functionality to
its usual banking-credential theft. The Trojan Trickbot
targeted both financial institutions and cryptocurrencies.
Trickbot added coinbase.com, a popular cryptocurrency
exchange, as one of its attack vectors. Once a system
was infected, the malware injected a fake login page
whenever the victim visited the digital currency
exchange, which allowed the cybercriminals to steal the
victim’s login data, along with a range of digital assets,
including Bitcoin, Ethereum, and Litecoin.