Bitcoin traders beware: Fake trading bot offer delivers RAT
As the price of Bitcoin keeps hitting surprising heights, more
and more cyber crooks are turning their sights on anything and anyone
who trades or uses the popular cryptocurrency.
The latest attempt to deliver malware to a specific group of Bitcoin users was spotted by Fortinet researchers.
A RAT is delivered
The malicious offer comes via email: a free trial of Gunbot, a new bitcoin trading bot developed by Gunthy:
The email carries an attachement – a VB Script that, when executed,
downloads a file that looks like a JPEG image file, but it’s actually a
PE binary.
“At first glance, the downloaded executable appears to be a benign
inventory system tool with a lot of references to SQL commands for
inventory procedures. After further analysis, however, we found that it
is a trojanized version of an open source inventory system tool named
TTJ-Inventory System,” the researchers found.
Ultimately, this malicious file ends up installing a number of executables.
One of these executables makes sure that the malware will be executed
each time the system is rebooted. Another one is the Orcus RAT server.
“Orcus, although advertised as a Remote Administration Tool, offers
features that are beyond that scope. For instance, the user has the
ability to disable the light indicator on webcams so as to not alert the
target that it’s active. It can also implement a watchdog that restarts
the server component or even trigger a Blue Screen of Death (BSOD) if
the someone tries to kill its process,” the researchers noted.
“A plugin that can be used to perform Distributed Denial of Service
(DDOS) is also available directly from their repository. These are, of
course, on top of the obviously ominous features such as password
retrieval and key logging that are normally seen in Remote Access
Trojans.”
Just a part of a broader malicious effort
The site from which the malware is downloaded is parked on the https://bltcointalk(.)com domain, which is still up and accessible, and researchers found other domains registered by the same actor:
It seems obvious they are meant to host fake sites impersonating
Bitcoin and Litecoin marketplace and auction site Bitify, Bitcoin forum
Bitcointalk, the Github code repository, and the Gunthy website.
Some of these domains are active, and sport decent copies of the
legitimate sites they impersonate. They have likely been set up to
harvest login credentials or make visitors download malware.
Thank you for shearing! I've never thought about fake trading robots, because I've always use the very secure virtual trading bots from https://tradingbot-solutions.com/pages/virtual-trading-bot. But after reading your article I'm more awre of such fake e-mails, like the one you mentioned. Thank you very much!
ReplyDelete