Security researchers have detected another attack against users that are interested in cryptocurrency. A fake application masqueraded as wallet software is currently distributing ransomware and also has an information stealer bundled in the infection package, experts warn. The fake application a.k.a. ransomware is called Spritecoin, and it was discovered by Fortinet researchers.
|Type||Ransomware, Fake app|
|Short Description||The ransomware encrypts files on your computer and displays a ransom message once encryption is done.|
|Symptoms||Encrypted files cannot be accessed. A ransom note message demands ransom in Monero.|
|Distribution Method||via forum spam|
|Detection Tool|| See If Your System Has Been Affected by Spritecoin |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Spritecoin.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Spritecoin Monero Ransomware Infection Details
Researchers have witnessed unconfirmed reports which led them to believe that this attack is being spread via forum spam, and is specifically targeting users interested in cryptocurrency. During their research, experts came across what appears to be the homepage for SpriteCoin pagebin[.]com/xxqZ8VES:
The ransomware that is spread with the help of the Spritecoin fake app is asking for ransom payment in Monero cryptocurrency. In the meantime, the ransomware is pretending to a “cryptocurrency-related password store”. More particularly, the ransomware is pretending to be a Spritecoin wallet, and is asking the potential victim to create a password. But when the victim does, it will not actually download the block-chain but will in fact encrypt the data on the user’s computer.
Once the encryption process is done, the ransomware will demand a payment in Monero in exchange for the files’ decryption.
The file (also known as spritecoind[.]exe) is UPX packed for simple evasion. It displays the typical ransom note of “Your files are encrypted” and asks for a sum of 0.3 Monero which amounts to $105 USD, researchers add.
During their analysis, researchers noticed indicators that the sample has an embedded SQLite engine. This may mean that the ransomware is using SQLite to store harvested credentials.
Interestingly, the ransomware is designed to first search for Chrome credentials. If no such credentials are found, it continues with Firefox trying to access the browser’s credential store. Once this is done, it will look for specific files to encrypt, researchers reveal in their report.
Once the encryption is done, the following extension will be added to them: resume.doc.encrypted.
In addition to the ransomware carried by the Spritecoin fake wallet app, another piece of malware is dropped on the victim’s computer. It is indeed an information stealer looking to harvest certificates, as well as to perform other activities like image parsing, web camera activation, etc.
Researchers also observed that the payload file would not run in its current state without a particular patch in place. This is what they discovered:
Our test environment was a Windows XP SP3 machine, but due to a missing _snprintf_s function from msvcrt.dll the malware would not run. But it began once we patched our system to _snprintf. On initial execution, the malware copies itself to %APPDATA%\MoneroPayAgent.exe, and relaunches the new copy.
The following registry key is modified by the Spritecoin ransomware:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoneroPay %APPDATA%\MoneroPayAgent.exe
Lastly, the ransomware can be detected as one of the following AV signatures:
- W32/Ransom.F3F6!tr (Ransomware)
- W32/Agent.DDFA!tr (secondary payload of Monero)
- W32/Generic!tr (Backdoor)
Spritecoin Monero Ransomware Removal
Below you can find a set of manual removal instructions for the Spritecoin ransomware distributed in the form of a fake wallet app. Keep in mind that the threat samples show that the ransomware is complex meaning that manual removal can be challenging even for tech-savvy users. Thus, the use of a professional anti-malware program is recommended for maximum efficiency. Such a tool will scan the whole system to locate all malicious files associated with the threat so you can easily get rid of them with a few mouse clicks.