On the one hand, participants in the crypto market are enabled to make unhindered transactions, regardless of national borders. On the other hand, the unregulated nature of the crypto market facilitates hacker attacks. Attacks on cryptocurrencies are attractive because even if the perpetrators are discovered, the question of legal jurisdiction arises, which is not defined.
Hacking attacks are not done “manually” except in special cases. Still, different scripts are created for the attacks, whether they are started by direct commands or malicious software. Recently, two new malware threats have surfaced that are searching the Internet for unwary investors to steal their funds.
The new malicious activities were detected by the anti-malware software Malwarebytes, and it is about two new malicious codes. The first is a ransomware virus called MortalKombat, and the second is a GO variant of the Laplace Clipper malware. Their activities on the crypto market have been observed, and most of the victims are located in the United States, while a smaller percentage of victims are in Great Britain, Turkey, and the Philippines.
Attackers have observed scanning activity on the Internet for potential targets with Remote Desktop Protocol (RDP) port 3389 open. It is a private protocol that provides a graphical interface for a user to connect to another computer over a network connection.
Research has shown that the campaign begins with a phishing email whose activation initiates a multi-stage attack chain in which the attacker delivers either malware or ransomware and then deletes evidence of the malicious files, covering their tracks as soon as the attack becomes difficult to analyze.
Chain of attacks
The email comes with a maliciously compressed (ZIP) file that contains a batch-loading script that downloads another malicious ZIP file when the victim opens it. The malware also fills the victim’s hard drive with its content, making it difficult to operate, either the GO variant of the Laplace Clipper malware or the MortalKombat ransomware.
The uploader script will run the malicious code that accesses the victim’s crypto wallet and then deletes the downloaded and discarded malicious files to clean up the traces of the infection.
A common attack vector for hackers was a phishing email impersonating CoinPayments, i.e., a legitimate global cryptocurrency payment gateway. To make the mail messages look as believable as possible, the attackers have a fake sender, “[email protected],” while the message title is “CoinPayments.net Payment Time Out.”
The attached ZIP file has a name that resembles the transaction ID mentioned in the mail, enticing the victim to unzip the malicious attachment to see the contents and thus start the attacking Batch file.
Ransomware and cyber security attacks continue to grow. However, victims are increasingly reluctant to pay attackers their demands, according to a recent report by Chainalysis which found that ransomware revenue for attackers fell by 40 percent last year.
The assumption is that hackers will change tactics and means of attack, and we will find out what future attacks will look like shortly.