malware - Pwim.Net

Scammers Hack Monero's Official Website and Infected It With Malware

Scammers have succeeded in hacking Monero’s official website and infecting its wallet with malware that’s capable of stealing user’s cryptocurrencies when downloaded and installed.

The attack was noticed when a user reported about supposed differences between the hash for the wallet and the hash listed on the page. First, users thought it was a simple error, but soon, they discovered it was a malicious attack that was made to infect the software wallet with malware.

According to the report, this then led Monero’s devs to check GitHub about the mismatching hashes coming from the website. It was then discovered that there was a deliberate, malicious attack that compromised the binaries of the CLI wallet had been compromised, which made it possible for a malicious version to being served instead.

However, Monero’s officials noted they fixed the problem immediately, thereby implying that the attacked files were online for a short time. This meant that the compromised files were removed almost immediately as soon as the issue was reported. They claimed that the binaries are now served from another safe and secure source.

They then recommended that all the users who downloaded the wallet from their website between Nov. 18, 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries to know whether they correspond with the official ones.

If the hashes don’t match the official ones, the users were encouraged to delete the files and download them again. The officials strongly warned users never to run the compromised binaries under any reason/circumstance.

To know the authenticity of their binaries, advanced users are told to use Linux, Mac, or Windows command line to verify them while beginners were told to use Windows. This would help them know when there are possible differences.

Image Via Shutterstock

North Korean macOS Malware Detected on Crypto Platform

Security researchers have encountered a new cryptocurrency-focused macOS malware, believed to be the work of a North Korean group of hackers known as Lazarus.

As reported by Bleeping Computer on Dec.4, the malicious malware is capable of retrieving payloads from remote locations and running them in memory, which is very uncommon for macOS. This feature makes it difficult to detect the malware and makes forensic analysis extremely difficult. Analyzing the software through malware and virus detection site—VirusTotal, the researchers reported that initially, only 4 antivirus engines flagged it as malicious, this number improved meekly to 5 at the time of publication.Lazarus Strike Again

Researcher Dinesh Devadoss, first encountered the malicious software on a website called—unioncrypto.vip—that advertised a trading platform for “smart cryptocurrency arbitrage”. The suspicious website did not cite any download links, but hosted a malware package under the name “UnionCryptoTrader.”

Security researcher and macOS hacker Patrick Wardle analyzed the malware found by Devadoss and determined that “there are some clear overlaps” with another malware implant that has also been attributed to Lazarus and found by Malware Hunter Team less than two months ago. At the time, the researchers detected that Lazarus had created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm.

North Korean Headlines

North Korea has been making headlines in the blockchain and crypto news recently as, Ethereum research scientist, Virgil Griffith was arrested in Los Angeles last week and charged for allegedly aiding in the circumvention of U.S. Sanctions that have been placed on North Korea. Griffith gave a presentation in North Korea on blockchain and cryptocurrency, although his supporters have argued that all the information discussed is open information that can be accessed by anyone. Griffith was released from jail on bond and is awaiting trial.The Ethereum community has expressed its strong support for Griffith and its co-founder, Vitalik Buterin has publicly declared that he will do everything possible to clear Griffith’s name and has been sharing a petition to free the blockchain developer.

Image via Shutterstock

Binance, CoinMarketCap, BitPay, Coinbase, Paxful Among Android Apps Earmarked by Latest EventBot Malware

Cybereason, a US-based cybersecurity company, has detected an Android malware dubbed EventBot that has been targeting money transfer and banking apps. Coinbase, Bitpay, CoinMarketCap, Binance, Mycelium Wallet, Bitcoin.com, Paxful, and CoinGecko are among a list of Android cryptocurrency wallets and applications whose security might be compromised as they are in the vicinity of this malware.

EventBot sets eyes on crypto companies

Cybereason has noted that EventBot has the capability of harvesting crucial information, as well as intercepting SMS messages sent to a victim’s phone using the two-factor authentication (2FA) method. Despite being in the development stage, this malware is distinctive as most of its code is developed from scratch.

The research indicates that EventBot has set its guns blazing on some of the largest crypto players, including exchanges and wallets based on the liquidity involved.

EventBot was first brought to light in March, and investigations show that it is still actively developed as new versions comprise of new capabilities and improvements often released after every few days.

The report by Cybereason also shows that the malware disguises itself as an authorized application despite its absence on Google Play Store.

Upon installing by unsuspecting persons, EventBot compromises the accessibility feature found on the Android system making it access sensitive user information, system data, and information stored in other apps.

Keeping a watchful eye

Cybereason has asked all the relevant players to be cautious so that they do not become victims of EventBot’s invasive tendencies.

According to the report, “The Cybereason Nocturnus team has concluded that EventBot is able to target almost 300 different banking and finance applications, the majority of which are European bank and crypto-currency exchange applications.”

With EventBot having earmarked various android cryptocurrency apps and wallets, their security might be compromised; hence it is prudent to be on the watch out.

As reported by Blockchain.News on April 2, a malware botnet was involved in hijacking Microsoft SQL Server (MS-SQL) across the globe and manipulating them to mine cryptocurrencies like Monero and Vollar.

Image via Shutterstock

Ledger and Tezor Dismiss Rumor That Hackers Have Stolen Data from Popular Crypto Wallet Providers

Cybersecurity company “Under The Breach” has revealed that customers who have bought products using Shopify and bought items from companies such as KeepKey, Trezor, Bnktothefuture, and Ledger may have had their data leaked.

The cybersecurity company tweeted screenshots from a hacker trying to sell stolen data from KeepKey, Ledger, Trezor, and Bnktothefuture users.

The ‘Rumored’ Hack

The cybersecurity company further mentioned that the data was stolen after the hacker exploited weaknesses in the e-commerce website Shopify. The cybersecurity company posted screenshots in which the hacker advertised huge databases with information associated with an alleged 80,000 customers. This includes the customer’s name, email address, residential address, phone number, and other pieces of data.

The hacker is claimed to be the same individual who hacked the forum Ethereum.org in 2016. The hacker is now claiming to have the databases for Ledger, Trezor, and KeepKey users, including other important information. The hacker also claims to have hacked the Bnktothefuture SQL database and stole identify information from the investment platform. The databases are up for sale, but it may turn out to be false and publicity stunt.

A communications manager at Shopify said: “We investigated these claims and found no evidence to substantiate them, and no evidence of any compromise of Shopify’s system.”

Two of the four firms have taken the allegations seriously.

Ledger made a follow-up on the matter, terming it as a rumor. The hard wallet provider claims that so far, the allegedly hacked database does not match its real database. Ledger said that it is likely that the hacker is totally lying. The company confirmed that it will be continuing its investigations on the issue.

Trezor tweeted its confirmation that there are rumors going around that its e-shop database has been attacked through a Shopify exploit. The company clarified that its e-shop doesn’t use Shopify, thus making a Shopify-related hack impossible. The firm said: “We are nonetheless investigating the situation. We’ve been also routinely purging old customer records from the database to minimize the possible impact.”

The hacker has several dubious claims and is reported to have databases for almost 20 crypto exchanges globally. Nobody can confirm whether or not the hacker truly does have these databases. So far it appears to be more hearsay.

US Law Firms Had Data Stolen and Encrypted by Hackers Demanding Crypto Ransoms

Various big companies seem to have been the victim of recent cyberattacks, which has led to the theft of a massive amount of private information from customers. Hackers have recently breached five US law firms and encrypted their data, thus forcing each firm to pay 100 Bitcoins (about $918,500 at the time of this report) to restore their access. The hacker group identified as “Maze” also has threatened to sell some stolen data in case the firms refused to pay a ransom. The hackers have developed the habit of publishing small parts of stolen data and release more and more sensitive aspects until victimized firms pay a ransom. Hackers demanding ransoms in Bitcoin have a negative impact on the public image of cryptos, making people believe that such coins are just meant for criminals. Last year was marked not only by multiple ransoms demanding cryptocurrencies but also by major cryptocurrency scams.

Image via Shutterstock

Ransomware Gang Evil Corp Group Strikes Again with New Ransomware WastedLocker

A ransomware gang called Evil Corp Group is back in action, after having been in retirement for an undetermined period of time. The malware hacker group strikes again by developing a ransom software dubbed WastedLocker.

Who is behind Evil Corp?

Evil Corp Group is a Russian-based cybercriminal group that is led by Maksim Yakubets. The group rose to popularity in 2007 and was infamously known for targeting big US firms.

They demand million-dollar payments as ransom, and they are reputed for having stolen at least $100 million from banks and financial institutions in at least 40 countries. According to global cybersecurity expert NCC group:

“Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments.”

The cybercriminal group rose to popularity after they developed the Dridex and Bitpaymer ransomware. From the get-go, Evil Corp Group has changed their virtual identity numerous times in order to stay undetected.

New production: WastedLocker

The newly developed malware WastedLocker aims to encrypt the files of the infected host. Though it does not have anything in common with its precedent Bitpaymer—WastedLocker has been labeled a threat by cybersecurity officials due to its connection to the notorious Evil Group.

In fact, alleged leader Yakubets and his partner-in-crime Igor Turashev have been charged in a 10-count indictment for monetary fraud, conspiracy, computer hacking, and wire fraud.

Bitcoin demanding ransomware WannaCryFake

WannaCryFake, much like its counterpart WastedLocker, is a Bitcoin (BTC) demanding ransomware. The malware operates when a computer system is infected with the bug, then data is encrypted, held hostage, and a ransom in Bitcoin is demanded in exchange for the decryption of the files. Finally, only after the ransom has been paid, the attackers will release the stolen data back to the victim.

Solutions to ransomware

Though it may be daunting, there are solutions brought up by cybersecurity firms to track down hacker gangs and put an end to their cybercriminal activities.

Emisoft, a cybersecurity firm, aims at tracking down malicious phishing and ransomware attacks. They released a free decryption tool aimed at putting an end to illegal Bitcoin mining activities.

Darknet Empire Offline for Days Has Users Fearing DDoS Attack and Looming Scam

A popular darknet marketplace, Empire Market, has been reported to be offline for over 48 hours, making website users fretful as to the cause behind it.

Empire Market Goes Down

Empire Market, a darknet behemoth, is often leveraged by users to buy and sell illicit goods, ranging from counterfeit goods to malware and illegal drugs. Payment methods accepted for illicit goods and services sold on the platform include Bitcoin (BTC), Litecoin (LTC), and Monero (XMR).

The dark web giant has been offline for so long that the unusual activity sparked concern and speculations from its darknet customers. Clients of Empire Market have been wondering whether the dark web service has fallen prey to a distributed denial-of-service (DDoS) attack once again.

In a DDoS attack, what typically happens is that the targeted server or network’s regular traffic is disrupted by malicious entities through an overflooding of Internet traffic. As a result, multiple systems are compromised due to the flooding of the targeted network’s bandwidth and resources. Consequently, a DDoS attack leads to a shutdown of the machine network.

In the past, Empire Market had already been subject to DDoS attacks that kept the dark web offline for an extended amount of time. Darknet users’ hypothesis that Empire Market might be the victim of yet another distributed denial-of-service attack may therefore be valid. While some suspect a DDoS attack, others are scared that they may potentially be in the middle of an exit scam, which is a trick where a given business halts its shipment orders to customers while still receiving payment for new orders.

Dark Web Answers

In response to all this, Dark.fail journalist, an anonymous writer specialized in Tor, commented on the incident and said that this time around, the Empire Market’s inactivity felt even more stressful than when it underwent downtime in 2019 due to DDoS attacks.

Dark.fail said, “We are ~36 hours into Empire Market being completely offline. Last year extended periods of downtime were common before the Endgame DDoS filter was released. After months of nearly perfect uptime, this downtime feels more stressful than the frequent Empire downtimes of 2019.”

Online figure “Se7en,” who claims to be one of Empire Market dark web’s head moderators, addressed the issue. In a statement released on Twitter, Se7en said:

“If the market is still down in a couple of days, I’ll make a post about the whole situation then, it’s early days and maybe the admins will bring it back.”

The dark web community on Reddit also jumped in at this point, sharing a post from Empire Market’s team that dark web users of “the many false narratives and fear, uncertainty and doubt (FUD) circulating.” In the post, Empire Market attempted to reassure its users by saying that they were hard at work and “doing anything safely takes time.”

Blockchain for Better Security

With the surge of cybercrime in this increasingly digital age, numerous Asian countries have been reported to have increased the adoption of blockchain for security purposes.

Blockchain has been leveraged recently in various domains, ranging from school institutions using it to ensure server and network security to an Asian country adopting it for digital driving license purposes. South Korea has leveraged the decentralized ledger technology to offer a blockchain-powered driving license alternative. This option has resulted in one million South Korean drivers making the switch from a physical driver’s license to a digital blockchain-fueled one.

Lazarus Group Hacks for Crypto via LinkedIn Blockchain Job Posting

A hacking operation that is allegedly backed by North Korea has been reported to be targeting blockchain and cryptocurrency employees through LinkedIn.

Malware Infiltrates LinkedIn

The group of cyber hackers, Lazarus, has been growing their online presence through their huge cyber-attack operations. Since 2017, Lazarus ransomware group has accumulated over $571 million in stolen cryptocurrencies.

According to a report by Finnish cybersecurity firm F-Secure, the latest cyber-attack from Lazarus was conducted through the professional employment-oriented digital platform LinkedIn. Lazarus hackers targeted a blockchain and crypto industry employee through a phishing message. The digital text was presented as a legitimate blockchain job offer and an MS Word document with the title “BlockVerify Group Job Description” was enclosed. Embedded in the MS Word document was a malicious macro code, which automatically launched when the file was open.

Hacking for Crypto

After further investigation, the cybersecurity threat intelligence team behind F-Secure revealed that the names, authors, and document details found in the “BlockVerify Group Job Description” document posted on LinkedIn shared the same publicly available code from VirusTotal, a huge malware and online URL scanning service. Data from VirusTotal confirmed F-Secure’s suspicions of foul play, as findings revealed that the malicious macro code was originally created in 2019. 37 antivirus systems have already reported it since then.

The goal of releasing the malware was to gain login credentials to gain entry into the victim’s network. Through that crucial step, Lazarus could then invade the network digitally and steal cryptocurrency funds.

Furthermore, F-Secure disclosed that the Lazarus Group also shared similar interests as that of the government of North Korea. According to F-Secure cybersecurity experts, the cyber operations set in place by the Democratic People’s Republic of Korea will also very likely target organizations and companies that are not necessarily working within the realm of the crypto industry.

North Korea Has an Army of Hackers

It has been uncovered recently in a tactical report revealed presented by the US army that the North Korean government had more than 6,000 hackers dispersed throughout the world working for them. Countries that had North-Korea based hackers include Belarus, China, India Malaysia, and Russia, to name a few.

The US has long been active in trying to put an end to North Korea’s widespread cryptocurrency-driven cybercrime campaigns and is still actively working on strategically obliterating the illicit online activities.

Italian Authorities Bust Illegal Ethereum Mining Activities Using Airport Computers

Airport officials working at Italy’s Lamezia Terme International airport have arrested a 41-year-old technician for unlawfully mining Ethereum using the airport computers. The postal police disclosed that the suspect was in charge of computerized infrastructure at the airport.

Anomalies detected

The technician who is an employee of Sacal Global Solutions, the company contracted to maintain the airport computer system, installed malware, and exploited its IT infrastructure to mine Ethereum. As a result, endangering the airport’s IT security system.

As per the announcement:

“The ‘miner’ was discovered and reported by the staff of the Postal Police of Reggio Calabria and Catanzaro: he is a 41-year-old technician in charge of the computerized infrastructure.”

A red flag was raised after Sacal technicians detected anomalies in the network and alerted border police. Part of the investigations involved examining IP addresses linked to the mining activities.

CCTV cameras come in handy

CCTV cameras installed in various rooms at the airport were instrumental in identifying the suspect as he was caught red-handed. Nevertheless, further investigations are being undertaken to leave no stone unturned in case of accomplices.

The report noted:

“The investigators, with the collaboration of the airport authorities, analyzed the partitions of the IT network inside the hub, discovering the presence, in two different technical rooms, of a real ‘Mining farm’ that is an abusive network consisting of five powerful electronic processors, called Mining Rig.”

Illegal crypto-mining activities on the rise

Crypto mining has emerged to be a lucrative business, which explains why illegal activities have marred this venture. For instance, in April, Guardicore, a cloud security and data center firm, issued a report showing how a malware botnet, tracked as Vollgar botnet, had been hijacking Microsoft SQL Server (MS-SQL) databases around the world and forcing them to mine the cryptocurrencies Vollar and Monero.

Later in August, Federal authorities uncovered a large illegal Bitcoin (BTC) mining site in Kyrgyzstan being operated by government officials of the Free Economic Zone. Furthermore, a former employee of an Australian federal agency escaped prison by a whisker despite mining cryptocurrency on government supercomputers.

Ransomware Growth Decreased 23% YoY amid Bearish BTC Market in H1, Report Suggests

The slump in the price of Bitcoin from about $48,000 at the beginning of the year to $20,000 at the end of June has been tagged as one of the main reasons for the decline in Ransomware activities recorded during this period.

According to a survey from SonicWall, a cybersecurity startup, there was a course shift for Ransomware attacks in the first half of the year as the total count came in at 236.1 million for the first half of 2022, down 23% when compared to the year-ago period.

The SonicWall report and finding is very significant as it shows investors’ activities that can attract any form of a Ransomware attack in the period of massive price onslaught is very minimal. With a Ransomware attack such as the one suffered by the University of California back in August 2020, the hacker gains control of the organization’s systems which they encrypt until a ransom is paid.

The revelations from the SonicWall report are surprising, seeing Malware attacks grow significantly within the same time frame. Per the data published, Malware attacks in H1 surged 11% to a total of 2.8 billion attacks. Cryptojacking attacks also grew considerably, with the count at 66.7 million cases, up 30% from the first half of 2021.

Cybercrime involving Bitcoin and the broader blockchain ecosystem has gained new momentum in the past few years. With hackers evolving as much as the digital currency ecosystem is growing, the biggest hits recorded thus far include the $610 million of the Poly Network and the $625 million hack of the Ronin Bridge.

While the Poly Network hacker was benevolent enough to return all of the funds, only a reported $5.8 million had been recovered for Ronin Bridge as an attempt was made to launder the funds through Binance Exchange.

Unknown Sources Target Crypto Investors with Malicious Computer Programs

Software specifically developed to remove malicious software Malwarebytes found two new varieties of malicious computer programs that are targeting bitcoin investors in desktop settings in an aggressive manner. These malware are of the spyware and adware kind. Malwarebytes was able to uncover these malicious programs, which are being distributed by unknown sources.

The findings of the threat intelligence research team at Cisco Talos indicate that the two malicious files in question, the MortalKombat ransomware and the Laplas Clipper malware threats, have been actively scouring the Internet since December 2022 in search of unsuspecting investors to rob of their cryptocurrency holdings. The threats in question are the MortalKombat ransomware and the Laplas Clipper malware threats. As can be seen in the table that follows, the majority of individuals whose lives have been altered as a result of this campaign reside in the United States of America. On the other hand, a much lower number of persons in the United Kingdom, Turkey, and the Philippines have been impacted.

The malicious programs work together to steal information from the user’s clipboard, which is often a string of letters and numbers that the user has copied and pasted onto their clipboard. There is a risk that the malicious program will steal this information. After that point, the virus will check the clipboard for any wallet addresses that have been pasted into it, and it will replace those addresses with a whole new one.

The success of the attack is dependent on the user not paying close enough attention to the sender’s wallet address, which in turn enables the bitcoin to be sent to an unidentified adversary. Because of this, the attacker may conceal their identity. The attack is aimed against a diverse assortment of targets, including individuals, little organizations, and big ones.