Hackers and cybercriminals have been targeting crypto investors with two new malware threats that scout the internet for unwary investors to steal their funds.
According to a recent report by anti-malware software Malwarebytes, two new cybersecurity threats, which include recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, have been deployed in campaigns aimed at stealing cryptocurrency from victims.
The new phishing attack’s victims are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey, and the Philippines.
The company’s threat intelligence research team, Cisco Talos, said they observed the criminal scanning the internet for potential targets with an exposed remote desktop protocol (RDP) port 3389, a proprietary protocol that provides a user with a graphical interface to connect to another computer over a network connection.
The research said that the campaign begins with a phishing email “and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis.”
The phishing email comes with a malicious ZIP file that contains a BAT loader script, which downloads another malicious ZIP file when a victim opens it. The malware also inflates the victim’s device and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware.
“The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers,” the report detailed.
Talos noted that a usual vector of attack for the criminals has been a phishing email in which they impersonate CoinPayments, a legitimate global cryptocurrency payment gateway.
To make the emails look even more legitimate, they have a spoofed sender, “noreply[at]CoinPayments[.]net”, and the email subject “[CoinPayments[.]net] Payment Timed Out.”
On this specific occasion, a malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, which allures the victim to unzip the malicious attachment in order to view the contents, which is a malicious BAT loader.
Ransomware Threats Rise while Revenue Declines
Ransomware and cybersecurity attacks continue to increase. However, victims have been increasingly unwilling to pay attackers their demands, according to a recent report by Chainalysis, which revealed that ransomware revenues for attackers plummeted 40% last year.
It is worth noting that North Korean hacking groups account for a huge portion of illicit cyber activities. Just recently, South Korean and United States intelligence agencies warned that Pyongyang-based hackers are trying to hit “major international institutions” with ransomware attacks.
In December 2022, Kaspersky also revealed that BlueNoroff, a subgroup of the North Korean state-sponsored hacking group Lazarus, is impersonating venture capitalists looking to invest in crypto startups in a new phishing method.