LogRhythm Labs has identified an emerging targeted BitCoin theft campaign while evaluating an interesting piece of malware that is actively targeting users of popular BitCoin exchanges. This malware arrives in the form of a phishing message:
This appears to be a mass-targeted phishing message as many users have already reported receiving the same e-mail. After reviewing this, it is obvious that they have targeted people whom they know use BitCoin by way of scraping popular BTC sites and leaks for e-mail addresses.
The email headers indicate that this was sent using amazonses.com, which is Amazon’s Simple Email Service (SES) (http://aws.amazon.com/ses/) used for sending mass-mails.
Running the shortened link through some quick online tools uncovers some interesting information and flags the link as malicious:
- http://wepawet.iseclab.org/view.php? hash=88a2f886b034f327955c2c8ced361619&t=1389079982&type=js
The shortened link (hxxp://goo.gl/sFgbEJ) redirects here: hxxp://skodegouw.nl/web/includes/Backup.zip and downloads the Backup.zip file. Analyzing the metrics around this short URL show that just under two thousand users have clicked on the link since the malware campaign was launched at around 4pm on on January 6th.
A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack.
When running this .zip file through Virus Total, only 8 Antivirus products are currently able to detect the malware.
- https://www.virustotal.com/en/file/85083a3cc70d4c38c60c20995f3f82f37bec6de1744cd8d10dea645888 c58669/analysis/1389077222/
After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack.
They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless “show hidden files” is turned on in Windows. Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.
Followed by calls to multiple DLLs…
It gets better though. The Password.txt.lnk file launches cmd.exe and runs a few interesting commands…
Reviewing the wallet.dat file with strings discloses the phisher’s BTC wallet addresses. A team of 4-people: Liquid, Kaz, Abz, and Frosty.</del> EDIT: Thanks to reddit we have discovered that these BTC addresses are most likely not related to the phisher’s, but are those of users who may have fallen victim to this attack.
Initially, the Password.txt file shows up as hidden as the attackers want the user to click Passwords.txt.lnk first. When this file is viewed it is obvious that this is a packed executable by way of the UPX “signature” line.
Running this file launches a blank command prompt window, followed by a program masquerading as notepad, then the real notepad application, which displays the “password” to the wallet.dat file.
In reality, this program launches two files, one notepad.exe to display the fake password, and another file “Password.txt” which appears to actually be a backdoored version of EditPlus (http://www.editplus.com/). This file continues to run silently and remains open even after notepad is closed.
It appears that this malware lays resident until the victim opens their BitCoin wallet using the BitcoinQT software (http://bitcoin.org/en/download). This is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC.
Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue. We are currently working to analyze this in more detail and plan to release additional information on this malware in a follow-up blog post. LogRhythm Labs dug deeper into this malware and more information is now available in our follow-up post.