The virus monitors the clipboard and replaces the data in the cryptocurrency wallet. It mainly attacks banking institutions and companies in the cryptocurrency ecosystem from Brazil and Mexico.
The Slovak company ESET, developer of antivirus software, announced on October 3rd that it discovered a new malware that can steal cryptocurrencies and that has particularly spread throughout Latin America.
According to the ESET, the new virus belongs to the Casbaneiro malware family and its main objective is to track data from cryptocurrency wallets. To do this, it monitors the contents of the clipboard and, in case of finding the information that it is seeking, the attackers replace the data with those of their own cryptocurrency wallet.
The report shows one of the scammers’ wallets, which received around 1.2 bitcoins, equivalent to USD 9,812 at the current price. The number of transactions registered in that wallet is 70.
At the same time, the company reports that Casbaneiro is similar to the previously identified Amavaldo family of banking Trojans. For now, the malware primarily attacks banking institutions and cryptocurrency companies from Brazil and Mexico. However, it does not discount its possible extension to other countries in Latin America and the rest of the world.
The experts discovered that the new Trojan uses the same tactics as Amavaldo, which consist of using pop-ups and fake molds, in order to deceive the victims. These attacks generally focus on persuading users to take urgent or necessary action, such as installing a software update or verifying credit or bank account information.
Once the victim’s device has been invaded, Casbaneiro uses backdoor commands to make screenshots, restrict access to various banking sites and record keystrokes.
One of the aspects highlighted in the report is that Casbaneiro is able to hide the domain and port of the C&C server in several locations, such as fake DNS records, in electronic documents stored in Google Docs or in fake websites that supposedly belong to legitimate organizations. On some occasions, the C&C server domains have been encrypted and hidden in legitimate sites, especially descriptions in several YouTube videos, especially in those about cooking and soccer.
ESET experts recommend that, as a precautionary measure, the basic security rules be followed when entering personal data to make online payments, as well as a reliable solution to protect the devices.
At Risk of Cryptocurrency Theft
New threats often arise in the world of cryptocurrencies, which are coveted by black hat hackers who specialize in creating new methods to steal and profit at the expense of organizations or users.
On September 26th, the company Juniper Threat Labs, a cyber threat intelligence portal, disclosed the discovery of a spyware that uses Telegram as a communication channel with its Command and Control Center. Among other things, the malware is able to automatically replace cryptocurrency wallet addresses copied to the clipboard.
In mid-September, a team of cybersecurity researchers discovered a new variety of cryptocurrency mining malware, which not only illegally extracts cryptocurrencies but also provides attackers with universal access to the infected system through a “secret master password.”
In fact, a report from McAfee Labs revealed that cryptojacking is growing rapidly. According to the study, cryptocurrency mining malware campaigns rose 29% from the fourth quarter of 2018 to the first quarter of 2019.
On the other hand, a BBC report published in August highlighted a cryptojacking Monero virus that successfully hacked 850,000 servers, mainly in Latin America.
By Willmen Blanco