Cybersecurity firm Kasperky has discovered a malware which tricks victims into sending attackers their crypto by replacing trusted wallet addresses on a users' clip board.
The malware is being distributed under the guise of Microsoft Office Add-Ins on the SourceForge website.
In reality, alternate links are being used to install this malware and infiltrate crypto wallets. The coding appears to be in Russian with an expected 90% of potential victims in Russia, Kaspersky researchers wrote in a post on their SecureList blog.
However, the link does lead to a website written in English for the download—suggesting this could expand far wider than Russia.
Bitcoin Python Library Targeted by Wallet Draining Malware
Machine learning has been used to detect crypto malware targeting users of bitcoinlib, a popular Python library for making Bitcoin wallets. ReversingLabs says the malicious packages attempted to overwrite legitimate commands in order to extract sensitive database files. Researchers say bitcoinlib is a "widely used open-source library" that allows crypto wallets to be created and managed—attracting more than one million downloads since its launch. Named "bitcoinlibdbfix" and "bitcoinlib-dev," the...
Once installed, the malware places ClipBanker on the device, which is a malware that replaces cryptocurrency addresses in the clipboard with the attacker's own.
Since most crypto wallet users tend to copy and paste addresses, rather than typing them, the address replacement usually goes undetected until the victim's money is sent somewhere they did not intend.
Kaspersky warns that this could do even more damage.
"The persistence methods are worthy of note as well. Attackers secure access to an infected system through multiple methods, including unconventional ones,” the researchers wrote. “While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors."
Malware Campaign Spreads Fake Wallet Seed Phrases Through Hacked Mailing Lists
Threat analysts have uncovered a sophisticated, two-pronged malware campaign targeting victims both inside and outside of the crypto industry. In a recent report, cyber intelligence firm Silent Push identified the PoisonSeed malware campaign, which initially targets the users of bulk email providers including Mailchimp and SendGrid. A fake Mailchimp page generated as part of the PoisonSeed malware campaign. Image: Silent Push In one case, a content creator was sent a fraudulent message that clai...
It's worth noting that SourceForge is a legitimate website for hosting software downloads and that this exploit relies on users being taken to another download link, which is not safe.
A seemingly legitimate link redirects to a page where users are encouraged to download the infected software.
The download appears to be a legitimate 700MB installer, but it’s mostly filled with junk files. The actual malware is just 7MB.
According to the report, some 4,604 Russian users have encountered this scheme between early January and late March alone.
Kaspersky warns: "We advise users against downloading software from untrusted sources. If you are unable to obtain some software from official sources for any reason, remember that seeking alternative download options always carries higher security risks."
Edited by Stacy Elliott.
