Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.
The attack typically begins with a phishing email with the subject line ‘Wallet Backup.’ The attackers have apparently targeted by people they know use Bitcoin by scraping popular BTC sites for email addresses, LogRhythm’s Greg Foss explained in a blog post.
A link in the email redirects to a site and downloads the file ‘Backup.zip.’ Analyzing the metrics around the malicious link show that roughly 2,000 users have clicked on the link since the malware campaign was launched Jan. 6.
“A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack,” Foss blogged. “After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack. They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless ‘show hidden files’ is turned on in Windows. Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.”
Bitcoins are hardly a new target for hackers. In October, attackers stole $1 million in bitcoins from Inputs.io. More recently, the malware attack that hit Yahoo users in Europe earlier this month was designed to create a large network of machines for bitcoin mining.
In the attack discovered by LogRhythm, the malware appears to lay dormant on the machine until the victim opens their bitcoin wallet using the BitcoinQT software.
“This is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC,” Foss blogged.
“Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue,” he added.
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Researchers Uncover Ongoing Bitcoin Theft CampaignSymantec Reports Uptick in PHP Inclusion AttacksPrisonLocker Ransomware an Evolution From CryptoLocker Yahoo Attack Spotlights Challenges of Malvertising 5 of the Top Security Breaches of 2013
Tags: NEWS INDUSTRY