Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Uncover Ongoing Bitcoin Theft Campaign

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

The attack typically begins with a phishing email with the subject line ‘Wallet Backup.’ The attackers have apparently targeted by people they know use Bitcoin by scraping popular BTC sites for email addresses, LogRhythm’s Greg Foss explained in a blog post.

A link in the email redirects to a site and downloads the file ‘Backup.zip.’ Analyzing the metrics around the malicious link show that roughly 2,000 users have clicked on the link since the malware campaign was launched Jan. 6.

“A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack,” Foss blogged. “After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack. They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless ‘show hidden files’ is turned on in Windows. Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.”

Advertisement. Scroll to continue reading.

Bitcoins are hardly a new target for hackers. In October, attackers stole $1 million in bitcoins from Inputs.io. More recently, the malware attack that hit Yahoo users in Europe earlier this month was designed to create a large network of machines for bitcoin mining.

In the attack discovered by LogRhythm, the malware appears to lay dormant on the machine until the victim opens their bitcoin wallet using the BitcoinQT software.

“This is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC,” Foss blogged.

“Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue,” he added.

RelatedBitcoin Exchanges Hit By Hackers

RelatedCyber Thieves Blamed for Bitcoin Heist

RelatedMac Malware Targets Bitcoin Wallet Logins

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.