Jaxx cryptocurrency wallet is the latest victim of hackers. A website spoofing the official website of Jaxx was recently taken down after Flashpoint researchers discovered several infections connected to the operation. The fake site had a URL similar to the original one and was delivering “a number of custom and commodity strains of malware”. The purpose of this operation was to empty the wallets of Jaxx users.
More about Jaxx
According to Jaxx’s own statistics, it is a popular cryptocurrency wallet, downloaded over 1.2 million times on both desktop and mobile. It is important to note that Jaxx Liberty, the latest version of the wallet, supports Bitcoin, Ethereum, as well as several other cryptocurrencies. Jaxx is owned by Canadian blockchain startup Decentral.
How did the Attack on Jaxx Happen?
First, researchers underline that the attack was mainly a social engineering trick meaning that it didn’t involve the use of a security vulnerability in the application, website, or any Decentral domains.
Flashpoint researchers notified Jaxx and the Cloudflare content delivery network. Cloudflare reacted quickly and removed the spoofed website which included modifications of the download links, redirecting them to a server controlled by the attackers.
Unfortunately, the researchers were unable to identify how the attackers tricked users into visiting the spoofed website. In other words, it is not known whether the attackers poisoned search results, used email phishing techniques or cheated chat applications, or something else.
Both Windows and Mac Users Targeted
As noted in the report:
The start date for this campaign figures to be Aug. 19 when the fraudulent domain was created. The attackers were targeting Windows and Mac OS X users with a variety of malware developed for the desktop platforms. Anyone who clicked on the mobile downloads were redirected to the legitimate Jaxx website.
Simply said, users who ended up on the spoofed Jaxx website, fell for the scam and believed they were actually visiting the official website. This is due to the fact that the attackers made the effort of actually installing the legitimate wallet software onto victims’ computers while malware silently installed in the background.
Mac OS X users were presented with a custom-built malicious Java Archive (JAR) file, whereas the fraudulent Windows software link downloaded a custom-written .NET application.
The latter performed malicious behavior, exfiltrating all of the victim’s desktop files to a command-and-control server, and also downloaded KPOT Stealer and Clipper. Both of the Trojans appear to be marketed on underground Russian-language cybercrime sites, the researchers pointed out.
The Mac OS JAR file was programmed in PHP and compiled using a Russian language IDE called DevelNext. Judging by the Jaxx branding throughout the code, the malware was developed solely for this campaign.
This malware operation is a proof that cybercriminals have improved their tactics and are continuing to target cryptocurrency users. Chances are that attackers will continue to use commodity malware kits offered for sale in underground forums with the purpose to steal both credentials and cryptocurrencies from users.