Christopher Wood
Crypto investors are currently being targeted by two recently developed malware threats, which are being utilized by hackers and cybercriminals to locate and steal funds from unsuspecting victims.
A recently released report from Malwarebytes shows that two new cybersecurity threats--the MortalKombat ransomware and a GO version of the Laplas Clipper malware--have been released and used to target victims with the intent of stealing cryptocurrency.
Most of those affected by the recent phishing attack are in the US, with a less significant amount also in the UK, Turkey, and the Philippines.
Cisco Talos, the company's research team focused on threat intelligence, reported that they had detected a criminal who was searching the internet for vulnerable targets that had an unsecured remote desktop protocol (RDP) port 3389. This protocol allows users to connect to another computer over a network and access a graphical interface.
The investigation found that the attack starts off with a malicious email, prompting the initiation of a multiple-step process in which malware or ransomware is distributed, and then any signs of the malicious files that were employed will be removed in order to make it difficult to determine the culprit behind the attack.
The email used for phishing contains a harmful ZIP file that has a BAT loader script. When the victim opens it, the script downloads another dangerous ZIP file. The malware causes damage to the victim's device and triggers the GO version of Laplas Clipper malware or MortalKombat ransomware.
The report stated that the loader script will initiate the malicious payload as a process on the targeted device, and then delete the downloaded and placed malicious files to hide the evidence of infection.
Talos observed that a common tactic used by criminals is to send out phishing emails pretending to be from CoinPayments, a reliable global cryptocurrency payment provider.
The emails are designed to seem as reliable as possible by having a falsified sender, "noreply[at]CoinPayments[.]net", and the email subject of "[CoinPayments[.]net] Payment Timed Out”.
On this particular occasion, the attached malicious ZIP file has a file name that looks like a transaction ID mentioned in the email body. This tricks the victim into opening the ZIP, only to be met with a malicious BAT loader inside.