Risk

9/12/2018
04:29 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Malware Campaign Targeting Jaxx Wallet Holders Shut Down

A site spoofing the official Jaxx website was discovered packing several infections for Windows and Mac machines, and has been shut down.

A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.

Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.

Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.

"Although phishing sites are extremely common, typically they are used to capture credentials of victims who are duped into authenticating on phony websites," says Paul Burbage, senior malware researcher at Flashpint. "Historically we have not seen actors setting up an entire mirror of a website with a lookalike domain solely to deliver malware."

Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.

"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.

Malware Skips Mobile, Goes to Desktop

This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.

"The attackers could have easily also introduced mobile malware with the phony website; however, it appears the attackers behind this campaign had a limited skill set to only develop and obtain Mac and Windows based malware," Burbage points out.

Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.

Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code. Although attribution for cyberattacks may not be certain, says Burbage, it appears the attacks originated from Russia.

If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.

The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.

Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.

KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.

Watch Your Wallets

This campaign signifies the lengths threat actors will go to in order to socially engineer a target business' customers into installing malware to steal cryptocurrencies. It's likely to continue, they believe, as criminals find commodity malware kits on sale in underground hacking forums.

"Cybercriminals are financially motivated to steal cryptocoins due to the ability of directly monetizing stolen funds, as well as protecting the attacker's identity with respect to the degree of anonymity that transferring digital currency offers," says Burbage.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.
CVE-2018-19319
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges.