A sophisticated new malware called CoinLurker is targeting cryptocurrency users through deceptive software update notifications. Written in Go programming language, this stealer malware employs advanced obfuscation techniques to evade detection.
Attack Methodology:
– Fake update alerts through compromised WordPress sites
– Malvertising redirects
– Phishing emails with spoofed update pages
– Fake CAPTCHA verifications
– Direct downloads from fraudulent sites
– Social media and messaging app links
The malware utilizes Microsoft Edge Webview2 for payload execution and implements EtherHiding, a technique that retrieves malicious code from Bitbucket repositories disguised as legitimate updates. These executables are signed with stolen Extended Validation certificates to appear legitimate.
Key Features:
– Advanced obfuscation techniques
– Memory-based payload decoding
– Process behavior concealment
– Socket-based communication with remote servers
Target Data:
– Cryptocurrency wallets (Bitcoin, Ethereum, Ledger Live, Exodus)
– Telegram accounts
– Discord profiles
– FileZilla credentials
Recent investigations have also uncovered related malvertising campaigns targeting graphic design professionals through Google Search ads since November 2023. Additionally, a new malware family called I2PRAT has emerged, utilizing the I2P peer-to-peer network for encrypted C2 communications.
The sophisticated nature of CoinLurker and its focus on cryptocurrency-related data makes it a significant threat to users in the digital currency ecosystem.