Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cybercrime

Cryptocurrency-Stealing 'Cryware' Malware Attacks Surge

Updated Information-Stealing Malware Designed to Siphon Bitcoin, Monero and More
Cryptocurrency-Stealing 'Cryware' Malware Attacks Surge
Advertisement for Racoon malware, an infostealer designed to steal cryptocurrency (Source: Sophos)

Criminals are doubling down on their use of information-stealing malware to target cryptocurrency being stored in internet-connected hot wallets.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

Call it "cryware," say researchers at Microsoft, who have published a new report on the trend, which further highlights just how much criminals love cryptocurrency. Indeed, in 2021, they stole about $3.2 billion worth of cryptocurrency, which was a 516% increase compared to 2020, reports blockchain analytics firm Chainalysis.

Source: Chainalysis

Conceptually, targeting files that digitally store details pertaining to cryptocurrency is an obvious play for criminals. Hot wallets are internet-connected pieces of software - sometimes stand-alone applications or, in some cases, browser extensions called web wallets - that store the cryptographic details needed to access any cryptocurrency being storing therein. By stealing that data, crooks can instantly transfer the funds to a wallet they control (see: Cryptocurrency Wallets Targeted by Alien Malware Variant).

Thanks to the magic of cryptocurrency, the victim has no ability to claw the funds back, beyond filing a police report and hoping for the best.

Victims who opt to store such information elsewhere on their PC - for example, in a text file - are also at risk. The Microsoft researchers say in their report that attackers will typically search an entire PC for such information, regardless of where it's being stored.

"To find hot wallet data such as private keys, seed phrases, and wallet addresses, attackers could use regular expressions - regexes - given how these typically follow a pattern of words or characters," they write. "These patterns are then implemented in cryware, thus automating the process."

To further increase the chance of success, some cryware also analyzes system memory for cryptocurrency data that's being handled in unencrypted form - for example, if a hot wallet is displaying private keys in plaintext when a user is conducting a transaction. "This critical information might remain in the memory of a browser process performing these actions, thus compromising the wallet's integrity," the researchers say. "Such a scenario also allows an attacker to dump the browser process and obtain the private key."

A hot wallet private key visible inside the browser process memory (Source: Microsoft)

Keyloggers provide criminals with another tactic for stealing private keys to cryptocurrency wallets. "Even users who store their private keys on pieces of paper are vulnerable to keyloggers," the Microsoft researchers say. "Copying and pasting sensitive data also don't solve this problem, as some keyloggers also include screen-capturing capabilities."

Indeed, another common tactic is watching cut-and-paste operations, to steal anything that looks as if it might be tied to cryptocurrency. But some attacks are even more pernicious. For example, some "clipping" malware watches to see if a cryptocurrency address gets copied to the clipboard. "Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds - the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker," Chainalysis reports in its 2022 Crypto Crime Report.

Source: Chainalysis

Infostealer Procurement

Information-stealing malware is widely available, including strains such as Cryptobot, RedLine, Mars and QuilClipper.

Some users of information-stealing malware pay a flat fee to license it and can do whatever they like.

"Infostealers are an inexpensive entry ramp into criminal activity," security firm Sophos reports. "An entry-level, seven-day subscription to Raccoon Stealer, for example, only costs $75," and includes a built-in clipper.

Some infostealers get procured as a service, which can come with terms and conditions that give the malware-as-a-service provider the right of first refusal on any data that gets stolen. In some cases, the agreement stipulates that the malware-as-a-service provider alone receives any and all stolen information that pertains to anything involving cryptocurrency.

Microsoft Defender for Endpoint cryware detections in 2021 (Source: Microsoft)

Various infostealers also get regularly cracked and posted online.

According to chatter tracked by threat intelligence firm Kela, users of a cybercrime forum earlier this month reported that Mars Stealer appeared to no longer be getting updates. "Go buy redline stealer, it's your best options," a forum user responded. "If you want PM me for his telegram for buying."

The interruption in Mars Stealer updates might be tied to a cracked version of Mars Stealer version 8 - including a "builder" for generating new strains of the malware plus a "panel" for managing infections - getting distributed for free to multiple cybercrime forums, according to discussions tracked by Kela.

Text of listing for a cracked version of Mars Stealer on a cybercrime forum in early May (Source: Kela)

Multiple Strategies for Stealing Cryptocurrency

Of course, information-stealing malware is but one tool in criminals' cryptocurrency-stealing arsenal. Other approaches and targets include:

  • Cryptocurrency exchanges: Hackers continue to target cryptocurrency exchanges use known flaws as well as zero-day attacks to drain funds. Experts say North Korean hackers remain responsible for a significant number of such attacks.
  • Cryptomining malware: Also known as cryptojackers, such malware uses a host system to mine for cryptocurrency. This involves solving complex computations in return for the chance to receive cryptocurrency as a reward. Accordingly, the only victim, per se, is the individual or organization that experiences system slowdowns and has to pay the power bill (see: LemonDuck Malware Evolves Into Major Cryptomining Botnet).
  • Decentralized finance: The DeFi industry continues to experience massive loses, with an estimated $1.6 billion being stolen from users via such platforms in the first quarter of this year alone, CoinTelegraph reports. Experts say poor security controls in place at many DeFi platforms continue to pose a risk (see: DeFi Platform Deus Suffers Second Exploit in 2 Months).
  • Digital skimming: Security firm Group-IB last year reported seeing Magecart-style attacks that inserted malicious code into legitimate websites not just to siphon off payment card data, as would be typical, but also to steal cryptocurrency. But it said these efforts, which appeared to trace to North Korea's Lazarus Group nation-state hacking team, seemed experimental and appeared to not have been widely rolled out.
  • Social engineering: Attackers regularly employ phishing emails and scams to try to trick users into divulging credentials for their accounts at cryptocurrency exchanges, revealing sensitive information, or investing in scams. The U.S. Federal Trade Commission says that in 2021, nearly 7,000 U.S. investors reported falling for such scams, leading to a median loss of $1,900.
  • Web injection: Many strains of malware have long had the ability to spoof legitimate banking sites, so users think they're interacting with their bank when, in reality, attackers are secretly siphoning funds in the background. These injection capabilities have been expanded to spoof cryptocurrency exchanges - for example, via TrickBot malware.

Multiple Defenses

What can cryptocurrency users do to protect themselves?

Aside from the risk posed by volatility in the value of cryptocurrency, another is that even a single security misstep can leave users out of pocket. The ease with which cryptocurrency can be targeted and the massive potential payoff from a successful attack continue to draw new criminals into the fray. This is one reason why incident response experts recommend that organizations never stockpile cryptocurrency in the event they suffer a ransomware infection.

For anyone who does use or hold cryptocurrency, employing antivirus software to scan for information-stealing malware, locking hot wallets when not in use - to prevent them from being surreptitiously emptied - and practicing excellent password-handling hygiene remain essential, the Microsoft researchers say.

Likewise, experts recommend whenever possible using cold wallets, which store information offline, meaning information-stealing malware can't touch it. The Microsoft researchers also recommend storing private keys using nondigital means, such as writing them down on paper and storing them somewhere safe. But as detailed above, even this approach isn't foolproof, once it comes time to enter this information into a web browser or smartphone app.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.