Stellar Lumens (XLM) Forum with if you love Stellar Lumens please takeover this forum email

Attackers Create Elaborate Crypto Trading Scheme to Install Malware
  • 1 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5

[Image: bitoins-to-bits-2.jpg]
Attackers have created an elaborate scheme to distribute a cryptocurrency trading program that installs a backdoor on a victim's Mac or Windows PC.

Security researcher MalwareHunterTeam discovered a scheme where an attacker has created a fake company that is offering a free cryptocurrency trading platform called JMT Trader. When this program is installed, it will also infect a victim with a backdoor Trojan.

[Image: tweet.jpg]

The making of a crypto trading malware scheme

This scheme starts with a professionally designed web site where the attackers promote the JMT Trader program as shown below.

[Image: jmttrading-site.jpg]
JMT Trader Web Site

To help promote the site and program, they also created a Twitter account that is used to promote the fictitious company. This account is fairly dormant with its latest tweet being from June.

[Image: twitter-account.jpg]
Twitter Account

If you attempt to download the software, you will be brought to a GitHub repository where you can find Windows and Mac executables for the JMT Trader application. This page also contains the source code for the trading programs for those who want to compile it under Linux. This source code does not appear to be malicious.

[Image: github-page.jpg]
JMT Trader GitHub Repository

Using the JMT Trade program, a user can create various exchange profiles and use it legitimately to trade cryptocurrency. That's because this application and the above GitHub page are just clones of the legitimate QT Bitcoin Trader program that have been adopted for this malware operation.

[Image: jmt-trader.jpg]
JMT Trader Application

When the JMT Trader is installed, though, the installer will also extract a secondary program called CrashReporter.exe and save it to the %AppData%\JMTTrader folder. This program is the malware component and acts as a backdoor. This malware currently has only 5/69 detections on VirusTotal.

[Image: crashreporter.jpg]
CrashReporter.exe Backdoor

A scheduled task called JMTCrashReporter will be created that launches the CrashReporter.exe every time a user logs into the computer.

[Image: scheduled-task.jpg]
Scheduled Task for CrashReporter

According to reverse engineer and researcher Vitali Kremez, when the CrashReporter.exe executable is launched, it wil connect back to a Command & Control server at beastgoc[.]com to receive commands. These commands will then be executed by the backdoor.

[Image: c2-server.jpg]
Connecting to the C2 Server

It is not known if the malware drops any other payloads or is simply used as a backdoor to steal cryptocurrency wallets or exchange logins.

Regardless, if any user installed this application, they should be sure to check their computer thoroughly for malware and delete the %AppData%\JMTTrader\CrashReporter.exe if it is present.

Victims should then change the passwords at any exchanges they have accounts.

Possible ties to the Lazarus APT group

When analyzing the scheme, MalwareHunterTeam noted that it had a strong resemblance to a previous crypto trading application malware operation named AppleJeus.

In 2018, during an incident response job, Kaspersky discovered that a cryptocurrency exchange was compromised when an employee downloaded a trojanized cryptocurrency trading application.

"Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. 

There have been multiple reports on the reappearance of Fallchill, including one from US-CERT."

After further research, this attack was attributed to APT group named Lazarus with ties to North Korea.

While some details have changed, the methods between the JMT Trader scheme looks very similar to the AppleJeus operating seen by Kaspersky.  Both use legitimate cryptotrading applications that are promoted from professional sites and both have a secondary program which is the malware component.

While it is not 100% confirmed that JMT Trader is a Lazarus operation, Kaspersky GReAT Senior Security Researcher Seongsu Park feels that they may be related.

[Image: Seongsu-tweet.jpg]

This goes to show you that you need to be careful when downloading programs off of the Internet as you never know what you will be getting.

by Lawrence Abrams

Possibly Related Threads...
Thread Author Replies Views Last Post
  Hot NEWS MyCryptoNewsToday - Ideal Destination For All Crypto News Milner 0 56 15-06-2020, 07:26 PM
Last Post: Milner
  Free Cryptocurrency: Complete Guide to Earning Free Crypto crytocure 1 480 25-02-2020, 10:13 AM
Last Post: coinsbot
  Malta. Crypto Regulations That Made Blockchain Island Flourish crytocure 0 278 24-02-2020, 10:19 AM
Last Post: crytocure
  Check out These 7 Crypto-Friendly Alternatives to Your Local Bank crytocure 0 254 23-02-2020, 04:15 PM
Last Post: crytocure
  Crypto and Blockchain Explained in 'The Simpsons' Episode: WATCH crytocure 0 279 23-02-2020, 10:56 AM
Last Post: crytocure
  ‘World’s First’ Crypto Card Game Might Convert Nocoiners crytocure 0 251 22-02-2020, 11:45 AM
Last Post: crytocure
  Cryptocurrencies, crypto-tokens and stablecoins. Why all matter? crytocure 0 316 21-02-2020, 11:29 AM
Last Post: crytocure
  Top Analyst: Foul Play Pumped the Crypto Market by $66 Billion crytocure 0 266 20-02-2020, 02:29 PM
Last Post: crytocure
  Instant Crypto Exchanges, Explained crytocure 0 263 20-02-2020, 09:07 AM
Last Post: crytocure
  The Crypto Anthem Ft. David Verity crytocure 0 223 17-02-2020, 02:57 PM
Last Post: crytocure

Users browsing this thread: 1 Guest(s)