The Quant Trojan is now targeting Bitcoin cryptocurrency wallets, researchers warn. Forcepoint researchers recently came across an active Quant loader admin panel that was hosted on a new domain. The domain was also hosting several other malware samples.
At first, the researchers thought everything was “business as usual”, but after the initial investigation they concluded that there were additional features added to the loader – all coming down to cryptocurrency stealing.
Quant is a piece of malware that has been around for quite some time and it doesn’t have much novelty to offer. However, the newly obtained and analyzed samples show that there are several key differences when compared to previous documented attacks involving Locky and Pony campaigns. The newest samples are designed to download the same payload files from the command and control server.
Depending on the actual tasks on the Quant server, the files listed below are hosted by default waiting to be downloaded and executed:
- bs.dll.c – A cryptocurrency stealer
- sql.dll.c – A benign SQLite library on which ‘zs.dll.c’ is dependent
- zs.dll.c – A credential stealer
A look into bs.dll.c – the cryptocurrency stealer
This is a small Borland Delphi based library that was developed for extracting several lesser known cryptocurrency wallets from the victim’s machines, in addition to Bitcoin.
It scans the user’s Application Data directory for supported wallets, extracts the information found, and transfers it over to the C2 server. Judging by the actual data on the servers we examined – and presumably due to the fact that some of the more popular currencies are not supported – this functionality does not seem to be particularly fruitful.
The cryptocurrencies of interest here are:
- Bitcoin (BTC) – via MultiBit and Electrum wallets
- Terracoin (TRC)
- Peercoin/PPCoin (PPC)
- Primecoin (XPM)
A look into zs.dll.c – the credential stealer
This is a Delphi based library created for obtaining credentials for operating systems and applications. Once the password scan is finalized, the extracted data is transferred to the command and control server via a HTTP POST request to a PHP page on the server side, researchers reported.
The data analyzed by the research team shows that the credential stealing capability is somewhat successful at retrieving data.
Interestingly, both of the stealers described above were already in development (and actively sold on underground forums) by the author when Quant loader was initially introduced on the malware market. It appears that the cybercriminals behind the recent operations made the decision to add them to Quant Loader. This may have been done to increase the price of the whole package, and to make it more prominent by adding more features and malicious functionalities.
However, researchers point out that particularly these two modules are still sold separately in underground forums:
MBS can be bought separately for $100 for a full license and an additional $15 for every update while Z*Stealer would be $100 for a full license with free updates, or $55 for a base license and an additional $15 for every update. This is as compared to a recent advert offering five full Quant licences for $275.
It is worth noting that the new Quant build also has a lengthy sleep command which is meant to aid avoiding detection by antivirus software and analysis in sandbox environments.
“Targeting cryptocurrency wallets is not a particularly new innovation, and targeting ‘offline’ wallets is a relatively well-established way of attempting to steal ‘coins’,” the researchers explained.
How to secure your cryptocurrency wallet
There are, however, some steps to consider in order to secure your cryptocurrency wallet to safeguard it from hackers and malware attacks.
1. Backup!
You need to back up your wallets just like you back up your data. Luckily, not much space is needed to store backups of Bitcoin wallets. Get more than one hard drive and USB sticks. Make sure that your wallets are as safe as they can be. In fact, make it a rule – never back up to just one external memory and consider it done.
2. Encrypt your online backups
Keep in mind that any backup stored online is susceptible to theft. Unfortunately, a computer that is connected to the Internet is also vulnerable to malware, ransomware and data theft. Thus, encrypting any backup exposed to the network is an excellent security habit.
3. Encrypt your wallet, too
Encrypting your wallet enables you to set a password (that should be strong and unique) which will get in the way of unauthorized entities trying to withdraw your funds. This step helps protect against thieves, but unfortunately it will not save you from keyloggers that capture passwords.
Also, make sure to never forget your password.
4. Keep an offline wallet (cold storage)
Keeping an offline wallet is the most secure method for savings. It simply means storing a wallet in a secured place that is not connected to the network. When done accurately, cold storage is also a great security measure against computer vulnerabilities. Overall, an offline wallet combined with backups and encryption is the best thing you can do.
5. Forget about your smartphone
Even though smartphones are all about convenience, it is not a good idea to use it for Bitcoin. In other words, it’s a bad idea to use your smartphone for primary storage of your funds. As to why – what if your phone got lost, stolen or compromised? Also, keep in mind that Sirin Labs, the company behind the $14,000 Solarin smartphone, is currently working on an open-source model, running on a fee-less blockchain.
6. Secure your computer
Update it frequently, and install a strong anti-malware program. A vulnerable computer directly endangers your crypto wallet. A strong anti-malware program is able to detect the latest forms of spyware, Trojans, rootkits, ransomware, keyloggers and other types of malware that put your data and cryptocurrency savings at risk of hacking.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter