A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.
Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.
Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.
"Although phishing sites are extremely common, typically they are used to capture credentials of victims who are duped into authenticating on phony websites," says Paul Burbage, senior malware researcher at Flashpint. "Historically we have not seen actors setting up an entire mirror of a website with a lookalike domain solely to deliver malware."
Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.
"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.
Malware Skips Mobile, Goes to Desktop
This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.
"The attackers could have easily also introduced mobile malware with the phony website; however, it appears the attackers behind this campaign had a limited skill set to only develop and obtain Mac and Windows based malware," Burbage points out.
Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.
Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code. Although attribution for cyberattacks may not be certain, says Burbage, it appears the attacks originated from Russia.
If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.
The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.
Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.
KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.
Watch Your Wallets
This campaign signifies the lengths threat actors will go to in order to socially engineer a target business' customers into installing malware to steal cryptocurrencies. It's likely to continue, they believe, as criminals find commodity malware kits on sale in underground hacking forums.
"Cybercriminals are financially motivated to steal cryptocoins due to the ability of directly monetizing stolen funds, as well as protecting the attacker's identity with respect to the degree of anonymity that transferring digital currency offers," says Burbage.
- 4 Trends Giving CISOs Sleepless Nights
- 8 Cryptomining Malware Families to Keep on the Radar
- Mirai, Gafgyt Botnets Resurface with New Tricks
- New 'Fallout' EK Brings Return of Old Ransomware
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.