Hackers and cybercriminals have been targeting crypto investors with two new malware threats that scout the internet for unwary investors to steal their funds.
According to a recent report by anti-malware software Malwarebytes, two new cybersecurity threats, which include recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, have been deployed in campaigns aimed at stealing cryptocurrency from victims.
The new phishing attack’s victims are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey, and the Philippines.
The company’s threat intelligence research team, Cisco Talos, said they observed the criminal scanning the internet for potential targets with an exposed remote desktop protocol (RDP) port 3389, a proprietary protocol that provides a user with a graphical interface to connect to another computer over a network connection.
The research said that the campaign begins with a phishing email “and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis.”
The phishing email comes with a malicious ZIP file that contains a BAT loader script, which downloads another malicious ZIP file when a victim opens it. The malware also inflates the victim’s device and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware.
“The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers,” the report detailed.
Talos noted that a usual vector of attack for the criminals has been a phishing email in which they impersonate CoinPayments, a legitimate global cryptocurrency payment gateway.
To make the emails look even more legitimate, they have a spoofed sender, “noreply[at]CoinPayments[.]net”, and the email subject “[CoinPayments[.]net] Payment Timed Out.”
On this specific occasion, a malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, which allures the victim to unzip the malicious attachment in order to view the contents, which is a malicious BAT loader.
Ransomware Threats Rise while Revenue Declines
Ransomware and cybersecurity attacks continue to increase. However, victims have been increasingly unwilling to pay attackers their demands, according to a recent report by Chainalysis, which revealed that ransomware revenues for attackers plummeted 40% last year.
It is worth noting that North Korean hacking groups account for a huge portion of illicit cyber activities. Just recently, South Korean and United States intelligence agencies warned that Pyongyang-based hackers are trying to hit “major international institutions” with ransomware attacks.
In December 2022, Kaspersky also revealed that BlueNoroff, a subgroup of the North Korean state-sponsored hacking group Lazarus, is impersonating venture capitalists looking to invest in crypto startups in a new phishing method.
Cybercriminals are always looking for new ways to steal cryptocurrency from investors. In recent months, there have been a number of reports of new malware targeting crypto investors.
Two of the most notable examples of this new malware are MortalKombat ransomware and Laplas Clipper malware. MortalKombat ransomware is a type of ransomware that encrypts a victim’s files and demands a ransom payment in order to decrypt them. Laplas Clipper malware, on the other hand, is a type of malware that steals cryptocurrency addresses from a victim’s clipboard.
Both of these malware threats are being spread through phishing emails that appear to be from legitimate cryptocurrency companies. Once a victim opens the infected email, the malware is downloaded and installed on their computer.
If you are a crypto investor, it is important to be aware of these new malware threats. Here are a few tips to help you stay safe:
- Be careful about what emails you open. If you receive an email from a cryptocurrency company, make sure that the email address is legitimate before opening it.
- Do not click on links in emails. If you receive an email that contains a link to a cryptocurrency website, do not click on the link. Instead, go directly to the website yourself.
- Keep your software up to date. Make sure that you have the latest security updates installed on your computer.
- Use a firewall and antivirus software. A firewall and antivirus software can help to protect your computer from malware attacks.
If you think that you have been infected with malware, there are a few things you can do. First, you should disconnect your computer from the internet. This will prevent the malware from spreading to other computers. Second, you should scan your computer with antivirus software. If the antivirus software finds malware, it will remove it from your computer.
Finally, you should contact your cryptocurrency exchange or wallet provider. They may be able to help you recover your lost cryptocurrency.
By following these tips, you can help to protect yourself from malware attacks and keep your cryptocurrency safe.