A new form of malware that steals bitcoin and other forms of cryptocurrency has been discovered by security firm Cyren Ltd.
The as-yet unnamed malware is delivered via emails pretending to be notifications of online wire transfers, payment updates or swift transactions from banks such as Emirates NDB and DBS. The attachment to the email appears be a PDF file, but it’s nothing of the sort and is instead an executable file triggered when a user clicks on it.
Once executed, the malicious file hides by creating a file called ‘file.vbs’ in the Windows start-up folder, so every time a victim logs in and out of the PC, the script executes the malware in the background. The malware itself queries the computer registry for passwords and other sensitive information from all software installed on the infected machine, including web browsers and email clients.
What makes it more interesting is that it also searches for crypto-currency wallets to steal from as well. Not all types of cryptocurrency wallets are searched for, but the list is nonetheless extensive and includes more than two dozen from Anoncoin to Zetacoin.
Not least, the malware also acts as a keylogger, which creates hooks for both the keyboard and mouse on the infected machine, sending the details of anything the victim types or clicks back to a command-and-control server.
Malware that targets bitcoin wallets isn’t new. A previous form of malware discovered in 2015 was distributed by downloaded pirates games. But this new form is by far the most specific and detailed malware created to date in the space and the first to target a wide range of different cryptocurrencies as well.