Cybercriminals are targeting crypto investors with new malware – here’s what you need to know
Hackers and cybercriminals have targeted crypto investors with two new malware threats that scour the internet for unwary investors to steal their money.
According to a recent report by anti-malware software Malwarebytes, two new cybersecurity threats, which include recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, have been distributed in campaigns aimed at stealing cryptocurrency from victims.
The new phishing attack’s victims are mainly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey, and the Philippines.
The company’s threat intelligence research team, Cisco Talos, said it observed criminals scanning the Internet for potential targets with an exposed Remote Desktop Protocol (RDP) port 3389, a proprietary protocol that provides a user with a graphical interface to connect to another computer via a network connection .
The research said the campaign begins with a phishing email “and starts a multi-stage attack chain where the actor delivers either malware or ransomware, then deletes evidence of malicious files, covers their tracks and challenges analysis.”
The phishing email comes with a malicious ZIP file containing a BAT loader script, which downloads another malicious ZIP file when a victim opens it. The malware also inflates the victim’s device and runs the payload, which is either the GO variant of the Laplas Clipper malware or the MortalKombat ransomware.
“The loader script will run the dropped payload as a process on the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers,” the report said.
Talos noted that a common attack vector for criminals has been a phishing email posing as CoinPayments, a legitimate global cryptocurrency payment gateway.
To make the emails look even more legitimate, they have a spoofed sender, “noreply[at]Coin payments[.]net”, and the email subject “[CoinPayments[.]net]Timeout for payment.”
On this specific occasion, a malicious ZIP file is attached with a filename similar to a transaction ID mentioned in the email body, which lures the victim to extract the malicious attachment to view its contents, which is a malicious BAT loader.
Ransomware threats rise while revenue declines
Ransomware and cyber security attacks continue to increase. However, victims have become increasingly unwilling to pay attackers their demands, according to a recent report from Chainalysis, which revealed that ransomware revenue for attackers fell by 40% last year.
It is worth noting that North Korean hacker groups account for a large part of illegal cyber activities. Recently, South Korean and US intelligence agencies warned that Pyongyang-based hackers are trying to target “major international institutions” with ransomware attacks.
In December 2022, Kaspersky also revealed that BlueNoroff, a subset of the North Korean state-backed hacking group Lazarus, is posing as venture capitalists looking to invest in crypto startups in a new phishing method.