With the rise of crypto assets, it is not surprising that cybercriminals devote effort to finding a way to get hold of users’ tokens or cryptocurrencies. In addition to ransomware attacks that demand payments in cryptocurrencies or attacks directly on an Exchange, there are malicious codes that seek to steal these assets from victims. ESETa proactive threat detection company, discusses a technique that, while not new, is increasingly being used by cybercriminals: crypto clipping.
At the end of last year, a new variant of Phorpiex malware designed for cryptocurrency theft at the transaction stage. Called Twitz, this new variant of the botnet has been being distributed mainly through phishing campaigns.
When the victim user of this malware performs a cryptocurrency transaction, through the technique of crypto clipping, the threat automatically replaces the victim’s wallet address to redirect those assets to a wallet controlled by the attacker and thereby steal their money.
In clandestine markets of the dark web or in some cases even Telegram, it is offered for little money under the model of malware as a service (MaaS, for its acronym in English) malicious programs that use this technique embedded in the code.
“It is important to mention that crypto clipping malware is not new. We have seen in recent years that several of the most common banking Trojan families in Latin America, such as Casbaneiro, Mispadu, Janeleiro or some variants of Mekotio, have been using crypto clipping to steal money from wallets. Also other families of malware that are more widespread globally, such as Agent Tesla or other less popular ones, such as BackSwap, KryptoCibule. Even in 2019 malware was detected on Google Play targeting mobile devices. comments Sol González, Computer Security Researcher at ESET Latin America.
From ESET they comment that the use of this technique has spread through malware. In December 2021, researchers detected the new variant of Phorpiex designed to steal cryptocurrencies during the transfer stage, but apparently previous versions did not include this technique. Phorpiex, also known as Trik, is a botnet first detected in 2010. In essence, it is a computer worm used to use compromised computers to send out mass spam. In addition, it has been used to download malicious code onto victims’ computers, such as GandCrab ransomware or cryptocurrency miners like XMRig, and even to carry out DDoS attacks.
“This botnet was responsible for one of the largest sextortion campaigns during 2019. It consisted of an email in which the victim was told that her computer had been infected and that she had been filmed visiting adult sites. Therefore, if she did not pay an amount ranging between 300 and 5,000 dollars in bitcoins, the extortionists threatened to send her contacts a video visiting the sites ”, adds ESET’s Gonzalez.
According to ESET telemetry data, a growth in the detection of new Phorpiex samples has been observed during the last six months, mainly in Guatemala, Mexico, and Peru. In the case of Mexico, it was the second country that obtained the largest number of new variants of this worm, which has also been reported during the year 2019.
Image caption: Phorpiex detections in Latam between August 2021 and January 2022.
ESET shares some recommendations to avoid falling victim to malware that uses crypto clipping:
- Always have an antimalware/antivirus solution installed on your computer to prevent the installation of malware.
- Verify the virtual wallet address at the time of the transaction, since in this way the user will be able to detect if the address was replaced by copying and pasting.
- Do not install any software that is not downloaded from official sources.
- Be vigilant and do not open phishing emails. Many of them contain hidden malware as attachments.
- Before making transactions of significant amounts of cryptocurrencies, it is better to carry out a test transaction for a small amount.
- Be careful with URLs, as many cybercriminals develop fake pages that pose as wallets, exchanges, or other platforms to steal user credentials.
On the other hand, ESET invites you to know Secure connectionyour podcast to find out what is happening in the world of computer security.
diarioti.com
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.