Cybercriminals never stop innovating, and they are particularly attracted to cryptocurrencies. Maybe you’re on your merry way exploring the internet without knowing how many landmines you’re going to step on. It never hurts to be cautious and stay on top of the latest security trends when it comes to protecting your crypto funds.
To give you an idea of how big this evil business is for malicious parties, according to Chainalysis, about $24.2 billion was received by illegal crypto addresses in 2023. Don’t be part of the next number! Let’s take a look at some new malware techniques to be aware of this year and how you can protect yourself against them.
A backdoor in MacOS
It’s not exactly a good idea to download apps from unofficial sites, and this is a good example of why. Earlier this year, cybersecurity firm Kaspersky Lab discovered a new threat targeting macOS users’ cryptocurrency wallets, which was hidden in pirated software available on torrent and pirate websites.
When users install these seemingly free programs, they unknowingly allow malware onto their computers. The initial step involves an application called “Activator”, which asks users to provide administrative access. This gives the malware the necessary permissions to install itself and disable the normal function of the pirated software, tricking users into thinking they need this Activator to run the software.
Once installed, the malware contacts a remote server to download further malicious instructions. These instructions help the malware create a backdoor, giving hackers continuous access to the infected computer. The main purpose of this malware is to steal cryptocurrency. It replaces legitimate wallet apps like Exodus and Bitcoin-Qt with infected versions.
These altered apps then capture sensitive information, such as recovery phrases and wallet passwords, and send it to the hackers – effectively draining your crypto funds. A suspicious “Activator” installer appeared right after you got a ‘free’ app? Do not give it access, and remove it immediately!
Vortax, Web3 Games and “Markopolo”
The Vortax campaign is a fraudulent malware operation targeting cryptocurrency users, discovered by Recorded Future’s researchers. The cybercriminals behind this scheme use fake but legitimate applications to infect both Windows and macOS devices with information-stealing malware. Posing as a virtual meeting software called Vortax, the app looks credible with a website indexed by search engines, a blog with AI-generated articles and social media accounts on platforms like X, Telegram and Discord. The threat actor engages potential victims in cryptocurrency-themed discussions, ordering them to download the Vortax app under the guise of joining a virtual meeting.
Once users follow the instructions provided, they are redirected to download links that install the Vortax software. However, instead of a functional application, the installation files deliver malware such as Rhadamanthys, Stealc or Atomic Stealer (AMOS). The Vortax application appears to be non-functional due to deliberate errors, while in the background the malware begins to steal sensitive information—including passwords and seed phrases. Further investigation revealed that the Vortax campaign was linked to several domains hosting similar malicious applications and fake web3 games, suggesting a well-organized effort by the threat actor identified as Markopolo.
Markopolo’s tactics include using social media and messaging platforms to spread their malware, which also masquerades as brands and games such as VDeck, Mindspeak, ArgonGame, DustFighter, and Astration. This strategy not only widens their reach, but also increases the likelihood that users will be tricked into downloading the malicious software. The campaign’s sophistication and adaptability imply that future attacks could become even more common, highlighting the need for users to exercise caution when downloading third-party software, especially if they appear to be pushing for it suspiciously.
Pytoileur, a trap for Python developers
Sonatype researchers have uncovered a new threat targeting cryptocurrency users through a malicious Python package called “pytoileur.” Disguised as a legitimate API management tool, pytoileur tricks users into downloading it from the Python Package Index (PyPI). Once installed, the package secretly retrieves and installs malicious software designed to steal cryptocurrencies by accessing sensitive information stored on the victim’s device.
The malicious package was cleverly hidden within seemingly innocent code. It downloaded a dangerous executable file that, once executed, performed various malicious activities. These include modifying system settings, maintaining a presence on the device to avoid detection, and, most importantly, attempting to steal cryptocurrency from wallets and accounts associated with popular services such as Binance, Coinbase, and Crypto. com. By accessing browser data and other financial details, the malware can harvest digital assets without the victim’s knowledge.
The spread of pytoileur involved social engineering tactics, including exploiting community platforms such as Stack Overflow to entice developers to download the package under the guise of solving technical problems. This incident is part of a broader “Cool package” campaign, which marks an ongoing effort by cybercriminals to target cryptocurrency users through sophisticated and evolving methods. Mend.io, another security firm, has identified more than 100 malicious packages on PyPI libraries.
Developers can avoid malicious packages by downloading from trusted sources, verifying package integrity, and reviewing the code before use. Keeping up to date with security advice and using automated security tools also helps.
P2PInfect, a teeming threat
Identified by Cado Security, P2Pinfect is a sophisticated malware that uses a peer-to-peer botnet for control. In other words, the malware detects whether a computer belongs to a network and infects all the connected devices to communicate and control each other directly without relying on a central server. The updated form initially appeared dormant, but now includes ransomware and crypto-mining capabilities.
Upon infection, it spreads primarily through vulnerabilities in Redis, a popular database system, which allows the malware to execute arbitrary commands and spread itself across connected systems. The botnet function ensures rapid distribution of updates, and maintains an extensive network of compromised devices – for example, in an entire company.
Victims typically encounter P2Pinfect via insecure Redis configurations or through limited SSH (Secure Shell) attempts to manage remote systems with generic credentials. Once active on a victim’s system, P2Pinfect installs a crypto miner that targets the Monero cryptocurrency. This miner activates after a short delay and generates cryptocurrency using the system’s resources, secretly tipping earnings to the attacker’s wallet and slowing down the device’s capabilities.
The ransomware component encrypts (blocks) files and demands a crypto payment to get them back, although its effectiveness is limited due to the typical permissions of infected Redis servers. The attacker’s Monero wallet accumulated about 71 XMR, equivalent to about $12,400. This illustrates the financial success of the campaign despite the potentially limited impact of the ransomware due to the typical low-value data stored by Redis . To avoid this malware, remember to secure Redis configurations and regularly monitor for unusual activity.
Fake AggrTrade, and other malicious extensions
The fake AggrTrade Chrome extension, described by security firm SlowMist, was a malicious tool that tricked users into losing significant amounts of cryptocurrency. The extension posed as a legitimate trading tool (AggrTrade) but was only designed to steal funds. Users unknowingly installed it, which then exploited their access to cryptocurrency exchanges and trading platforms by hijacking sensitive information—passwords and credentials.
The extension functioned by capturing cookies and other session data, which allowed it to impersonate users’ logins and perform unauthorized transactions. This led to the theft of about $1 million in total. It was spread through deceptive tactics via social media and marketing promotion that lured victims into downloading and installing it, often from unofficial or suspicious sources.
This particular threat has already been eliminated, but it is only a meager example among many efforts. Currently, several other malicious Chrome extensions masquerade as genuine trading services aimed at stealing crypto. To protect yourself, only install extensions from trusted sources, regularly check permissions, and monitor your accounts for unusual activity.
Also remember that all browser extensions are capable of tracking your entire browsing history, seeing what you do on every website, and stealing cookies and other private data. If you use hardware or paper wallets for significant amounts and keep security software updated, you can also improve your protection against such threats.
Protective measures
To protect against crypto-stealing malware like this, you can apply some basic measures:
Install from trusted sources: Only use extensions and software from trusted sources and official websites. Verify reviews and permissions before installation. Install as little software as possible: before installing another application or browser extension on your computer, think again if you really need it. Maybe you can achieve your goals with the existing software? (However, it is safer on mobile platforms where every app is in a sandbox). Regular security checks: Regularly review and remove unused extensions or software. Regularly check for unusual activity in your crypto accounts (online and offline) and system. Use strong authentication: Enable two-factor authentication (2FA) on your accounts to add an extra layer of security. In Obyte wallets, you can do this by creating a multi-device account from the main menu or setting a spending password in settings.
Use anti-malware tools: Use up-to-date antivirus and anti-malware tools to detect and block online and offline threats. Secure your crypto: Store significant crypto assets in hardware or paper wallets to reduce exposure to online threats. The Obyte wallet allows you to easily create your own paper wallet by generating a text coin (twelve random words), writing it down, and then deleting or blocking the software itself until you need to spend the funds.
InsideObyte and beyond, be sure to use secure and verified wallets and follow these best practices to protect your assets!
Featured vector image by Freepik
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
