{"id":9884,"date":"2022-06-15T22:47:00","date_gmt":"2022-06-15T19:47:00","guid":{"rendered":"https:\/\/alfacash.blog\/?p=9884"},"modified":"2024-02-19T21:50:39","modified_gmt":"2024-02-19T18:50:39","slug":"crypto-stealing-malware-avoid-2022","status":"publish","type":"post","link":"https:\/\/alfacash.blog\/cs\/2022\/06\/15\/crypto-stealing-malware-avoid-2022\/","title":{"rendered":"+5 Crypto-stealing malware to avoid in 2022"},"content":{"rendered":"

Even in a bearish market, hackers and scammers worldwide are looking for unaware victims. They\u2019re using old and new technics to empty crypto wallets right now, or more than this, to steal energy and mine new coins. Therefore, it\u2019s very important to know, at least, the most popular crypto-stealing malware.<\/p>\n\n\n\n

There are simple ways to take care of your private keys and funds<\/strong>. The bad signals are also tale-telling at some point. However, it\u2019s also easy to ignore them \u2014or not know them in the first place. So, let\u2019s go to explore some common infections in 2022, and how to avoid them.<\/p>\n\n\n\n

Glupteba and other cryptojackers<\/strong><\/h2>\n\n\n\n

This kind of crypto malware isn\u2019t exactly for stealing cryptocurrencies. Instead, once installed on the computer or running from a malicious Internet window, it starts to steal energy and hardware resources. The purpose is to mine new coins (usually Monero) and send them directly to the hacker(s). This way, the operators don\u2019t spend a cent on energy or computers but keep the tokens anyway.<\/p>\n\n\n\n

Besides, probably the major problem with cryptojackers<\/a> is that they\u2019re very stealthy. The malicious software tries to take as less resources as possible (to go unnoticed) from as many machines as they can.<\/strong> So, cryptojackers are commonly mixed with \u201cbotnets\u201d: networks of bots designed to control a massive number of devices at the same time.<\/p>\n\n\n\n

\"Crypto-malware-botnet-cryptojackers\"<\/figure><\/div>\n\n\n\n

The dubbed \u201cGlupteba\u201d is one of those cryptojackers-botnets. As described by \u0158et\u011bzov\u00e1 anal\u00fdza<\/a>, it successfully infected over one million machines only in 2021. After silently kidnapping these devices, the hackers used them to mine Monero<\/a>. Meanwhile, the victims barely experienced some lagged machines \u2014their hardware, software, and energy being dried out.<\/p>\n\n\n\n

Cloud and data companies, GPU farms, and maybe even some t\u011b\u017ea\u0159i kryptom\u011bn<\/a> are the favorite targets<\/strong> for cryptojackers since they have more power to offer. But this doesn\u2019t mean that any computer can\u2019t be kidnapped too. For the hackers, the more infected devices, the better.<\/p>\n\n\n\n

RedLine and info stealers<\/strong><\/h2>\n\n\n\n

The so-called info stealers can take much more than just cryptocurrency. They\u2019re designed to find (and steal) saved credentials, files, history, cookies, banking data, and crypto-wallets<\/a> inside the infected device. And they can do many more, if not controlled.<\/p>\n\n\n\n

\"crypto-stealing-malware-Windows\"<\/figure><\/div>\n\n\n\n

RedLine is a well-known info stealer, available for anyone. Not for anyone to be infected with (also that, though), but for anyone to buy from the Darknet. It\u2019s even cheap: $150 for monthly access<\/strong> and $800 for lifetime access. And it includes a whole deal with additional (and malicious) tools. Like Chainalysis discovered:<\/p>\n\n\n\n

\u201cBuyers also get access to Spectrum Crypt Service, a Telegram-based tool that allows cybercriminals to encrypt Redline so that it\u2019s more difficult for victims\u2019 antivirus software to detect it once it\u2019s been downloaded. The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency.\u201d<\/p><\/blockquote>\n\n\n\n

Moreover, podle<\/a> the Center for Internet Security (CIS), RedLine can also have remote functionalities and allow the installation of more types of malicious software.  <\/p>\n\n\n\n

(Fake) DeFi wallets<\/strong><\/h2>\n\n\n\n

Decentralized Finance (DeFi<\/a>) platforms are quite popular these days, and hackers know this. The ones that aren\u2019t very busy stealing directly from DeFi protocols are dedicated to spreading fake DeFi wallets. Through social media or email, they promote these fraudulent apps and wait for victims.<\/strong><\/p>\n\n\n\n

Once inside a device, the crypto malware actually installs a functional DeFi wallet, along with a Trojanized one. The malicious app replaces the legit one, and the Trojan starts to work silently. It\u2019s a backdoor designed to steal information and even control the device at a certain level. Kaspersky Lab<\/a> identified the criminal North Korean group Lazarus as responsible for this campaign.<\/p>\n\n\n\n

\"Fake
Fake DeFi wallet. Source Kaspersky Lab<\/figcaption><\/figure><\/div>\n\n\n\n

Previously, the firm also identified the group BlueNoroff<\/a> as responsible for several attacks on cryptocurrency companies and users. Like the malicious app by Lazarus, the backdoor spread by this group checks the transaction history of the victim \u2014if they\u2019re crypto users. Then, even if the victim used a hardware wallet, the hackers just waited for a new transaction to happen in connection with MetaMask<\/a> (widely used for Web3).<\/p>\n\n\n\n

At that moment, the malware would change the original parameters of MetaMask in Google Chrome. They\u2019d change the original destination address and amount to empty the wallet.<\/strong><\/p>\n\n\n\n

\u201cWhen the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn\u2019t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details (\u2026) the attackers modify not only the recipient address, but also push the amount of currency to the limit, essentially draining the account in one move.\u201d<\/p><\/blockquote>\n\n\n\n

CryptoWall and more<\/strong><\/h2>\n\n\n\n

The ransomware already pushed the United States and Costa Rica into a national emergency<\/a>. This is a kind of malware that, once installed on the device or network, encrypts all personal files (documents, images, audio, video\u2026) or the entire hard drive<\/strong> and asks for a ransom, often in cryptocurrency, to return them.<\/p>\n\n\n\n

This crypto malware is especially dangerous for companies with commercial secrets, and for organizations like governmental agencies (full of private data from citizens) and hospitals (whose vital machines stop working). That\u2019s why the hackers use to ask for millionaire ransoms as soon as possible.<\/p>\n\n\n\n

\"Crypto-malware-ransomware-CryptoWall\"
CryptoWall ransomware capture. Source: Heimdall Security<\/figcaption><\/figure><\/div>\n\n\n\n

The variant dubbed \u201cCryptoWall\u201d has been around since 2015, but it\u2019s shown changes over the years. The last version<\/a>, 4.0, improved its communication capabilities, also encrypted the name of the files, and included localized messages for the victims \u2014they were delivered in English, French, or German according to the country.<\/p>\n\n\n\n

CryptoWall arrives in their infected devices via email.<\/strong> Most ransomware is affecting companies and other big players lately, but they never stopped the infection of personal computers worldwide, either.<\/p>\n\n\n\n

HackBoss and peers<\/strong><\/h2>\n\n\n\n

Sadly, clippers aren\u2019t a widely known crypto malware. They hijack the clipboard in the user\u2019s device and detect when a crypto wallet address<\/a> is copied by the owner. Then, this one is replaced for the hacker wallet address. So, if the user doesn\u2019t pay attention, they may end up sending the funds to the wrong destination.<\/p>\n\n\n\n

As explained by Chainalysis, \u201cHackBoss\u201d has been the more prolific clipper since 2012. The culprits have succeeded in stealing over $560,000 in Bitcoin (BTC<\/strong>), Ethereum (ETH), XRP,<\/strong> and other assets.<\/p>\n\n\n\n

\"Crypto-malware-clippers-chainalysis\"
Clippers by revenue. Source: Chainalysis<\/figcaption><\/figure><\/div>\n\n\n\n

Clippers may not be like the billionaire ransomware industry, but they\u2019re probably more dangerous to common people. They don\u2019t offer any red flag to identify the infection upon arrival, and it\u2019s very common to copy and paste the long crypto addresses for transactions. That mix could lead to high losses if the victim doesn\u2019t pay any attention.  <\/p>\n\n\n\n

Vyhn\u011bte se malwaru, kter\u00fd krade kryptom\u011bny<\/strong><\/h2>\n\n\n\n

Over $14 billion in cryptocurrencies were stolen in 2021<\/strong>, podle<\/a> Chainalysis. That\u2019s almost an 80% increase in illicit activity, compared to 2020. No wonder, considering that the crypto adoption also increased exponentially. Nevertheless, \u201ctransactions involving illicit addresses represented just 0.15% of cryptocurrency transaction volume in 2021\u201d, as they explained.<\/p>\n\n\n\n

\"probl\u00e9my-krypto-platby-volatilita\"<\/figure><\/div>\n\n\n\n

We can conclude that most crypto activity is legit, but with more adoption comes more crimes as well. Then, it\u2019s important to remember some basic security measures<\/a>.<\/p>\n\n\n\n