Bitcoin, Bitcoin, Bitcoin – Someone Might Be Watching You When You Buy That Coin…
Bitcoin value has been going through the roof, but with that attention also comes criminal activity. In the past two weeks, we have seen more than just a few reports trying to raise awareness about increased attacks on the cryptocurrency traders. Not only those in the industry are reportedly DDoS-ing competitors to potentially manipulate the coin's value, cybercriminals are also using trojans and malware to target users.
Trojans target bitcoin investors
Due to the recent volatility in the value that makes bitcoin gain or lose $1,000 in a day, it has become difficult for traders to follow prices manually. To maximize profitability, many start using automatic trading applications that help users follow these dips and spikes. Popularly known as trading bots, these platforms promise to help you monitor bitcoin price differences and automatically buy or sell the coins based on the user set criteria. But, is that all they are doing?
While most of these are legitimate applications, cybercriminals are also jumping on this bandwagon to target bitcoin investors, all the while spying on them. In their research, Fortinet talks about at least one such criminal group that has been dropping Orcus trojan with a trading bot named Gunbot that is developed by GuntherLab or Gunthy.
The process starts with a phishing email that contains the zip file carrying the VB script designed to download a binary masquerading as a jpeg file. Researchers said that once this is "loaded and executed in memory, it ensures that the malware is executed upon reboot." It also carries 3 more executables, including Orcus RAT. This remote administration tool, among other things, enables attackers to execute C# and VB.net code on the remote machine in real-time.
"Basically, if a server component gets “installed” to your system, the person on the other side is practically in front of your machine while seeing and hearing you at the same time – yes, it can activate your microphone and webcam even without you knowing," the researchers write.
It not only spies on users and records everything, the RAT is also capable of disabling the webcam light, causing Blue Screen of Death if a user tries to kill its process, and remaining hidden from the user through a number of different processes. The purpose of this specific attack appears to be password retrieval and keylogging among other things, however, researchers warn that this data could be used for further attacks.
The attackers have also appeared to create fake websites for their campaigns that mimic the original ones. "One of the websites on the list, “qunthy.org” leads to a fake website for Gunbot," the research says. "On the legitimate Gunbot website, interested clients are redirected to the developer’s Telegram profile, which is done by clicking the “CONTACT” button."
In the case of the fake website, that button is replaced with a “GET IT” button that can be triggered just by hovering on it. This leads to a file hosting website, “http[:]//desfichiers.com/?9onk0nboih”. However, as of this writing, the file pointed to by the URL no longer exists , however it seems safe to assume that it’s nothing benign.
With bitcoin taking up a lot of news space and user interest in the recent weeks, those interested in investing in the cryptocurrency also need to understand how easily they can become a victim of criminal attacks, as well.
While some have focused on stealing thousands of bitcoins from the exchanges making millions overnight, others are investing in more subtle attack vectors that could potentially be helpful in persistence on victim computers, require fewer resources and technical knowledge than a full blown hack of a major website, and also don't attract attention of law enforcement authorities.