Menu

MacOS Malware Targets Bitcoin, Exodus Cryptowallets – MacOS Malware Targets Bitcoin, Exodus Cryptowallets – Dark Reading

all41author 11 months ago 0 0

The malware substitutes genuine apps with compromised versions, enabling attackers to pilfer credentials and recovery phrases, thus gaining access to wallets and their contents.
January 23, 2024
Fresh malware targeting Apple users in the US and Germany is infecting Bitcoin and Exodus cryptowallet applications with a Trojan distributed through pirated software, according to Kaspersky researchers.
The malware is delivered via cracked applications and can replace Exodus and Bitcoin cryptowallet applications installed on the user's machine with infected versions that steal secret recovery phrases after the wallet is unlocked.
The report, issued this week, noted the attackers use DNS TXT records to deliver an encrypted Python script to their victims as the second stage of infection.
"The wallet application replacement process is straightforward because, at this stage, the malware already has root access to the computer, granted during the first stage of infection," explains Sergey Puzan, security expert at Kaspersky.
The malware simply removes the old application from the "/Applications/" directory and replaces it with a new, malicious one. After installation and the patching process, the applications become operational, and the user is unaware of the malware running in the background.
When users launch these compromised wallet applications, the malware sends data, including seed phrases or wallet passwords, to a command-and-control (C2) server controlled by the attackers.
This can result in the attackers having full control of a victim's digital wallet.
"We don't know why the malware specifically targets 'fresh' macOS versions, but it appears this campaign was still in the development process," Puzan says. "We managed to receive functionality updates for the final stage backdoor but received no commands from the server."
He added there are no specific reasons why attackers focus on macOS 13.6 (Ventura) and higher.
"The only reason malicious actors use cracked versions of applications is to lower the user's guard and prompt them to enter the admin password, thereby granting root access to the malicious process," Puzan explains.
He says the form protection from such threats is to avoid downloading any cracked or modified applications, even from well-known and trusted sources.
"While this isn't a foolproof method, it significantly reduces the chances of compromise," Puzan says. 
John Bambenek, president at Bambenek Consulting, says while the use of pirated applications as a vehicle for malware isn't a particularly new technique, the selection of macOSX applications with functionality to steal cryptocurrency wallets is unique.  
"As the security to prevent stealing cryptocurrency relies on the privacy of the private wallet key and passphrase, stealing both means the attacker can immediately monetize the victim," he explains.
In 2023, there were numerous malicious campaigns targeting cryptocurrency wallet owners, but the Kaspersky findings indicate that some attackers are now going to greater lengths to ensure they access the contents of their victims' crypto wallets while remaining undetected for as long as possible.
"While it's challenging to predict the threats we'll face in 2024, the increasing popularity of cryptocurrencies is attracting heightened criminal activity," Puzan says. 
Adam Neel, threat detection engineer at Critical Start, notes that malicious actors are adapting their techniques to take advantage of cryptocurrency users' behaviors and preferences.
"They use social engineering tactics, such as offering pirated software, to lure victims into downloading malware," he says. "The malware's ability to replace legitimate wallet applications and continue operating even when the C2 server is unresponsive demonstrates a level of persistence that can be challenging for users to detect and remove."
Bambenek notes many of the OS-provided protections needed to be explicitly disabled to get these applications on the system in the first place, so the biggest defense mechanism is to avoid pirated software and source applications only from the official app store.
"For those users who still want pirated applications, they should keep cryptocurrency applications and their private wallets on secure machines that do not have such software downloaded and installed on it," he says. 
Neel says users must continue to take precautions, especially when storing large amounts of digital currency.
"Cryptocurrency remains an attractive target for cyber criminals, so malicious actors will be motivated to advance their behaviors and technology," he says. 
Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.
You May Also Like
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
API Security: Protecting Your Application’s Attack Surface
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
SANS ICS/OT Cybersecurity Survey: 2023’s Challenges and Tomorrow’s Defenses
Pixelle’s OT Security Triumph with Security Inspection
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

– Advertisement –
Written By

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *