target cryptocurrency users with new malware

In March this year, over $600 million worth of cryptocurrency was stolen from the Ronin Network in one of the largest blockchain hacking incidents to date.

How to Defend Against Cryware Attacks

According to the Microsoft team, Microsoft’s Defender Antivirus and Microsoft Defender SmartScreen can recognize and block Cryware. The researchers noted that the best defense against cyberattacks targeting hot wallets is to secure the following critical access points;

  • Private key
  • Seed phrase
  • Public key
  • Wallet password

Phishing is one of the most popular techniques hackers employ to gain access to and steal assets from the wallets of cryptocurrency users.


These findings highlight the need for groups to defend themselves against crypto malware like AppleJeus. CISA recommended that they begin by investing in security awareness training that uses test attacks to educate their users about social engineering, spearphishing emails and other common digital threats.

CISA also noted that groups should consider using the principle of least privilege to limit the rights user accounts have.
They should also patch vectors where threat actors might escalate their privilege in the system.

If you suspect your business has an AppleJeus crypto malware infection, there are some things you can do. CISA advised that you activate your incident response plans, remove any affected hosts from the network and contact the FBI, CISA or Department of the Treasury.

David Bisson is an infosec news junkie and security journalist.

Cybercriminals have increasingly turned to blockchain technology and cryptocurrencies in recent years in order to generate quick profits.

Consequently, experts have discovered that malicious actors are now actively using Echelon malware with the auto-download functionality of Telegram, according to SafeGuard Cyber’s D7 threat intelligence team.

Specifically, this malware is a kind of programmed engineering code that has a variety of capabilities to compromise the data and privacy of a user’s computer or mobile device.

Warning ❗️ An attack on thematic @telegram crypto chats ongoing now.

Target cryptocurrency users with new malware-gen

These techniques include memory dumping, clipping and switching, phishing, and social engineering.

In one scenario, the Microsoft team revealed that attackers can use Cryware to swap a user’s wallet address with the attacker’s address by stealthily modifying the contents of the clipboard when the user copies their hot wallet address.

Compared to other forms of cryptocurrency cyberattacks, such as cryptojacking, Cryware is a multi-pronged attack on cryptocurrency hot wallets, the report states.

However, some security researchers argue that these types of attacks are not new and Microsoft is simply trying to create a new malware classification.

“Microsoft is now calling info-stealers that target cryptocurrency wallets….cryware!” online security researcher Lawrence Abrams tweeted.

“Please stop making up new malware classifications.

Moreover, they have been “socially engineering them” to download the infected application.

The Malware Overview

ESET researchers tested multiple samples from Licatrade to analyze this malware. They said that it has a few differences compared to the malware found on the other applications.
However, it still functions similarly.

The trojan installs a shell script on the targeted computer which gives the attacker access to the user’s system via the application. This shell script then enables the attackers to create several command-and-control servers, also called C&C or C2, over HTTP which operate between theirs and the victim’s system.

Notably, these C2 servers help criminals to communicate with the compromised machine continuously.

It’s confusing enough for many as it is,” he added.

What Are Hot Wallets?

Hot wallets are virtual wallets that can be used to buy, sell, and store digital assets like cryptocurrency and Non-fungible Tokens (NFTs). They can be downloaded as a program like Exodus or a browser extension like MetaMask.
A hot wallet is user-controlled, meaning that it is “non-custodial.” Wallets offered by coin exchanges like Coinbase are “custodial” wallets.

Cyberattacks targeting vulnerable hot wallets have been on the rise since the beginning of this year, the Microsoft report notes. Unlike a “cold wallet” — which is offline and can be stored on physical devices like the Nano Ledger — a hot wallet is a software that is constantly connected to the internet.

Additionally, they have copied the sire of the company and are now promoting at least four new copycat applications namely Cointrazer, Cupatrade, Licatrade, and Trezarus. These copycat apps come packed with malware.

The fake sites have a download button that is integrated into a ZIP archive that has the trojanized version of the app.
Based on the report by ESET, all these applications have full support for all trading functionalities. The researchers wrote:

“For a person who doesn’t know Kattana, the websites do look legitimate.”

According to the discovery by the researchers, the perpetrators have been directly and repeatedly contacting their targets.

The latest reports indicate that hackers have managed to steal crypto from crypto traders using new trojan targeting trading applications on Apple’s macOS. This attack used malware known as GMERA.

The ESET internet security company found that the malware comes well-integrated into legitimate-looking crypto trading applications.
The malware tries to steal the users’ crypto funds from their wallets.

Several researchers at Trend Micro cybersecurity firm initially discovered GMERA malware in September 2019. At that time, the malware was posing as the Mac-specific stock investment application Stockfolio.

Regenerating The Real Apps

ESET also discovered that the malware operators have meticulously integrated GMERA to the original macOS crypto trading application Kattana.

A version of a cryptocurrency trading app bearing the trojan infected an undisclosed victim’s computer. Bearing the name Celas Trade Pro, AppleJeus infected the victim with FALLCHILL. This remote administration tool let attackers remotely issue commands using a command-and-control server.

Next, CISA found that a phishing email from an LLC company had helped to distribute the trojan in the app.

The second instance of AppleJeus arrived more than a year later, in October 2019. At that time, a company called ‘JMT Trading’ marketed and spread the crypto malware. They claimed it was a cryptocurrency trading app. A download button on the website linked to the company’s GitHub page.

AppleJeus’ to steal cryptocurrency.

In a joint advisory published by the FBI and the Department of the Treasury, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned that the Hidden Cobra threat group was using AppleJeus to target cryptocurrency exchanges, finance service companies and similar entities.

The malicious actors used trojanized versions of cryptocurrency trading apps to spread the crypto malware. From there, they could prey upon businesses and steal cryptocurrency from specific users’ wallets.

Read on to learn about the many times AppleJeus has appeared over the past few years.

The Seven Known Faces of AppleJeus

CISA used open-source techniques and other means to spot seven instances of Hidden Cobra’s AppleJeus crypto malware.

The first version emerged in August 2018.

There, victims could download the Windows and macOS versions of the crypto malware.

Crypto Malware Hides in Fake Trading Apps

Later that same year, a cybersecurity company formally detected the third iteration of AppleJeus. This time it was hiding inside a cryptocurrency trading app pushed out by a company called ‘Union Crypto’.

The researchers did not spot any download links on the company’s website at the time of their work. However, a malware researcher discovered a download link that led to the macOS version. Meanwhile, open-source reporting suggested that the Windows version might have spread on Telegram channels.

The fourth version of the crypto malware arrived in March 2020. As with the cases described above, the malware relied on a fake company for distribution — Kupay Wallet, in this instance.

Similar Posts:

Leave a comment