An unknown hacking collective is behind a massive phishing attack that involves the creation of a fake Cryptohopper website. This is a very popular cryptocurrency trading platform which is used by thousands of users. Any interaction with any of them can lead to malware infections of various types.
Fake Cryptohopper Instance Spreads Malware To Visitors
A recent phishing wave has been set on against cryptocurrency users as a dangerous fake Cryptohopper trading platform is being massively pushed using different criminal tactics. The replica site is hosted on a site that poses as the real address and it can be hosted on numerous addresses that utilize similar sounding domain names to the original.
At the moment it appears that the main goal of the site is to deliver a Setup.exe payload automatically upon visit. This is an encoded file which uses the logo image of the legitimate site in order to deliver a malware. At the moment there is no information available about the criminal collective behind the ongoing campaign. This means that the phishing site can be effectively used to send out various types of malware:
- Ransomware — These are dangerous file encrypting viruses which will make it impossible to access key user data. Usually the strong cipher will be applied to certain file type extensions, popular files include the following: images, music, videos, databases, software ,archives and etc. The victim files will be renamed with a certain extension and a ransom note will be produced which will blackmail the victims to pay a decryption fee to them.
- Cryptocurrency Miners — These are dangerous scripts that will download a series of complex mathematical tasks that will place a heavy toll on the performance of the machines including the CPU, memory, hard disk space and etc. Whenever one of them is reported as completed the operators will receive a small income directly into their digital wallets.
- Trojans — These are dangerous viruses which will take over control of the machines by maintaining a persistent connection to a server allowing the operators to take over control of the machine.
- Browser Hijackers — They are dangerous plugins made for the most popular web browsers and will hijack user data and manipulate them into always opening certain hacker-controlled sites.
At the moment the ongoing attack campaign is set onto distributing the Vidar Trojan.
Its configuration will download two other malware threats onto the infected machines and their associate libraries. What we know from the security report is that they will act as two independent engines. The first one will be focused on downloading and running a cryptocurrency miner code. The second one will act as a clipboard hijacker which will focus its attention onto the user input and acquire any sensitive information that is entered. Other malware actions that can be taken by the malware distributed by the fake Cryptohopper instances include the following:
- Persistent Installation — The main amlware which is delivered, in this case the Vidar Trojan, can be added to the boot options as an entry. This means that the threat will be launched as soon as the computer is powered on.
- Data Harvesting — Acquisition of sensitive information can be done by searching for strings that can reveal a lot of data about the victims or their machines. The following strings can be hijacked: web browser data, stored account credentials, cryptocurrency wallets, documents, text files, form data and automatically generated screenshots.
The clipboard hijacker which is the second module that is activated in this campaign release will also look out for any addresses of cryptocurrency wallets that are interacted with during web sessions. Whenever such an operations is detected the engine will automatically replace the addresses with hacker-devised ones. The acquired samples will act against the following currencies:
Ethereum, Bitcoin,Bitcoin Cash, DOGE, Dash, Litecoin, Zcash, Bitcoin Gold, QTUM and Ripple
All victims that suspect that they might be victim of such infections or encounter fake Cryptohopper sites should take the necessary precautions and protect their systems from malware infections.