Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Uncover Ongoing Bitcoin Theft Campaign

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

The attack typically begins with a phishing email with the subject line ‘Wallet Backup.’ The attackers have apparently targeted by people they know use Bitcoin by scraping popular BTC sites for email addresses, LogRhythm’s Greg Foss explained in a blog post.

A link in the email redirects to a site and downloads the file ‘Backup.zip.’ Analyzing the metrics around the malicious link show that roughly 2,000 users have clicked on the link since the malware campaign was launched Jan. 6.

Advertisement. Scroll to continue reading.

“A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack,” Foss blogged. “After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack. They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless ‘show hidden files’ is turned on in Windows. Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.”

Bitcoins are hardly a new target for hackers. In October, attackers stole $1 million in bitcoins from Inputs.io. More recently, the malware attack that hit Yahoo users in Europe earlier this month was designed to create a large network of machines for bitcoin mining.

In the attack discovered by LogRhythm, the malware appears to lay dormant on the machine until the victim opens their bitcoin wallet using the BitcoinQT software.

“This is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC,” Foss blogged.

“Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue,” he added.

RelatedBitcoin Exchanges Hit By Hackers

RelatedCyber Thieves Blamed for Bitcoin Heist

RelatedMac Malware Targets Bitcoin Wallet Logins

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.