Cryptocurrency Malware: An Ever-Adapting Threat | Intel 471 Skip to content

Cryptocurrency Malware: An Ever-Adapting Threat

Aug 29, 2023
Background

Virtual currency, or cryptocurrency, has become both a tool and target for cybercriminals. No longer do they have to game the traditional banking system to send and collect illicit payments. It’s also speedy: bitcoin transactions, for example, can settle in as little as an hour. There is also a degree of pseudo anonymity. Bitcoin transactions are not linked to a person’s name and, if certain measures are taken, can prove difficult to trace. This pseudo anonymity has eroded in recent years as blockchain tracing methods have dramatically improved and turning virtual currency into cash becomes ever more difficult. Nonetheless, bitcoin’s innovations gave rise to illicit cybercrime markets that thrive today. It also drove the rise of ransomware, with cybercriminal gangs demanding increasingly higher ransoms in virtual currencies.

Bitcoin’s launch in January 2009 eventually spurred the creation of thousands of types of other virtual currencies. The creation of a new medium of wealth that is stored on consumer computers and by companies in the cryptocurrency space meant plentiful new targets for thievery for cybercriminals and even nation-states. North Korea has tasked its formidable offensive cyber resources with targeting vulnerable exchanges and companies. According to the United Nations, North Korea stole a record-breaking US $630 million in virtual assets in 2022.

The few advantages of virtual currencies have been undermined by security risks, market volatility, prolific scams, regulatory concerns and a strong reluctance by most governments to allow virtual currencies to become a mainstream component of their financial systems. The retention of cryptocurrencies poses many risks for consumers, as funds held on computers or mobile devices give cybercriminals many opportunities to swindle and steal them through malware, phishing and other types of social engineering. Security for cryptocurrency products and services is often substandard, likely due to the industry being in its relative infancy. As ever, cybercriminals are exploiting these weaknesses by developing malware specifically designed to steal cryptocurrency from unsuspecting users. Cryware, a term derived from “cryptocurrency malware,” comes in many different forms. In this blog post we describe some of the types of attacks against cryptocurrency accounts and wallets.

Storing Cryptocurrency: Wallets

Cryptocurrency can be stored in a variety of ways: in browser extensions such as MetaMask, within software or hardware “wallets” or on cryptocurrency exchanges. Wallets can be broken down into “hot” or “cold” wallets. Hot wallets are internet accessible and trade off security with convenience. While password protected, the wallets are usually accessible after credentials have been entered. Cold wallets refer to storage that is usually not accessible online. A cold wallet can take the form of a hardware USB key such as a Trezor, which is usually not connected to a person’s computer. A low-tech example of a cold wallet is printing out the private keys for bitcoins and putting the printout in a safe. In that example, a high degree of security is assured but with a low level of convenience. Some users may choose to store their cryptocurrency trading platform, an arrangement known as “custodial” storage. While users are responsible for the security of their login credentials on their account, they’re also placing trust in the security of the platform that is holding their funds – a bet that has often resulted in losses from breaches of the platforms.

Cryptocurrency Stealers, Drainers

Cryptocurrency stealers are a type of malware that act in the same way as malware known as information stealers, or infostealers. As with a trojan, cryptocurrency stealers are programmed to seek out and exfiltrate credentials for wallets on the compromised system, cryptocurrency exchange platform accounts and browser extensions used to hold and transfer cryptocurrencies. Once the data has been exfiltrated, the operator of the cryware is able to use the credentials to access wallets and trading accounts in order to steal the victim’s funds.

Cryptocurrency stealers, also commonly referred to as drainers, come in two primary forms. Actors develop stand-alone drainers that are specifically designed for the purpose of stealing cryptocurrency account credentials and the currency itself. However, there is also a growing trend in the generic information stealer market of information-stealing malware having additional modules designed for cryptocurrency. Though the two forms of cryptocurrency stealers essentially function in the same way, there are some differences, which are discussed below.

Stand-alone Drainers

Unlike generic information stealers, stand-alone cryptocurrency drainers are not capable of obtaining all types of login credentials. Instead, drainers are coded to target specific cryptocurrency services – cold wallets, browser extensions and cryptocurrency exchange accounts – and harvest the relevant data that the operator will need to take control of the associated funds. Drainers are commonly offered in the form of a script for the buyer to use as they see fit or already embedded into a phishing page. Integration with the Telegram secure messaging platform has also been observed, allowing threat actors to receive logs from the drainer in the form of an instant message.

Vendors of stand-alone drainers typically state with which cryptocurrencies and exchange platforms their drainers are effective. In the case of cryptocurrencies, this is due to the ever-growing number of blockchains that are developing, which often have their own differing protocols for sending and receiving cryptocurrency. For example, many drainers state that they are compatible with any ERC-20 tokens, meaning that the drainer is capable of stealing fungible tokens running on the Ethereum blockchain. Other commonly targeted blockchains include BEP-20 (BNB Smart Chain), Fantom, Polygon and the Seaport protocol used for the trading of non-fungible tokens (NFTs) on the popular OpenSea platform. Once connected to a victim’s wallet, the drainer script will identify which of the stored tokens belong to a compatible blockchain and exfiltrate these in particular. For this reason, drainers are also only compatible with certain wallet services and extensions for storing cryptocurrency online. Some of the most commonly targeted are Coinbase, MetaMask, Trust Wallet and WalletConnect.

Drainer Workflow

Drainers typically require the victim to willingly connect to their cryptocurrency wallet or trading account. This is often achieved through social engineering. Threat actors may send out a phishing page designed to trick the victim into believing they must connect their wallet to receive something of value. Some such methods mimic common cryptocurrency scams: promises of air drops (a free transfer of cryptocurrency as part of a promotion), favorable staking rates for cryptocurrencies or simply copying the login page for a well-known cryptocurrency platform. If sufficiently misled by the phishing page, the victim will willingly input their login credentials, which can be used by the drainer to access the genuine account and begin the process of withdrawing all the associated funds.

Shown below is one such example of a phishing page used in conjunction with the Atomic Drainer cryptocurrency stealer script. The page mimics that of the CryptoGPT aka LayerAI platform, claiming to provide users with staking rewards if they log in to the platform. The user is prompted to connect a cryptocurrency wallet via WalletConnect, while in reality they are providing the drainer with their credentials.

Atomic drainer copy
A phishing page used by the Atomic Drainer cryptocurrency stealer, which mimics the landing page of the CryptoGPT aka LayerAI platform.

Once a drainer script has been provided with access to a victim’s wallet, it will typically follow a logical process to verify what sort of assets the wallet possesses. From here the drainer script will establish which tokens are compatible with its stealing capabilities, including NFTs where applicable. Drainers can also include capabilities to determine the relative value of the assets, so as to prioritize higher value sums. Shown below is a purported workflow diagram depicting the general logical process behind a threat actor’s drainer called Diamond Advanced.

Diamondadvanced
A workflow for the Diamond Advanced cryptocurrency drainer provided by a threat actor.
Cryptocurrency Stealer Modules

There is a strong market for cryptocurrency drainers, but they are not limited exclusively to bespoke tools only targeting cryptocurrency. The long-established information stealer market has also taken to the theft of cryptocurrency. Alongside the usual capabilities to steal cookies, passwords, social media logins, files and system information, many new information stealers now offer modules specifically for stealing cryptocurrency. These stealers do not generally differ greatly from their stand-alone counterparts in how they function. A number of recent stealers, such as Goat Stealer, have even integrated Telegram for command and control (C2) purposes and for the user to collect logs. Features such as this aid in lowering the technical barrier to entry and ensure a wide range of threat actors are able to leverage this malware to steal a variety of data.

Assessment

Cryptocurrency drainers and related stealer malware are extremely widespread in the cybercriminal underground. Competition is high, which will likely force providers to differentiate themselves by providing a higher quality product with more features as time goes on. The relative increase in drainer malware in recent months likely can be attributed in part to the growing number of scripts being shared in open source environments such as code repositories like GitHub. While some of these scripts may have been published by cybercriminals for knowledge-sharing purposes, it is clear that actors have also leaked the work of others from underground forums. Acts like this have led to many drainers sharing commonalities and has facilitated the quick release of new “strains” by less experienced developers. Although the cryptocurrency market is down in general at present, any future bull run in the market – such as that seen in 2020 – would spur more interest in drainers. As inexperienced users join the community and buy and store cryptocurrency with little awareness of security measures, it is highly likely cryptocurrency drainers and related malware will see a further surge in popularity.

Cryptocurrency Clippers

Cryptocurrency clipper malware – or simply clippers – also works to redirect victims’ cryptocurrency funds away from wallets and exchange accounts and into adversary-controlled storage. Clippers do this in a subtly different way than drainer malware. Once a victim’s device is infected with a clipper, the malware repeatedly checks the victim’s clipboard using scheduled tasks to see if the user has recently copied a cryptocurrency wallet address. When a victim copies a wallet address to the clipboard, it indicates to the clipper that the user is possibly in the process of transferring cryptocurrency from one location to another, be that a wallet or exchange. Cryptocurrency clippers follow the same principles as banking trojans used to replace copied account numbers to hijack bank transfers.

The clipper then uses regular expressions (regexes) to find out what type of cryptocurrency the address belongs to and replaces the clipboard entry with a visually similar, but adversary-controlled, wallet address. Later, when the victim is pasting the address from the clipboard to carry out the transaction, they actually are sending cryptocurrency directly to the threat actor. This trick works because cryptocurrency wallet addresses typically are very long – sometimes as long as 40 alphanumeric characters – and it is likely an unsuspecting user will not notice this change in address. Shown below is a workflow diagram for a typical clipper.

Clipperworkflow
The typical workflow for a clipper.

As with drainers, we observed both stand-alone clippers and clippers as part of malware packages. One key example of this was of a malware developer we observed who created a multifunctional malware-as-a-service (MaaS) offering that included ransomware, a drainer and a clipper. The clipper itself was capable of working with 10 major cryptocurrencies and the package was available from as little as US $30 per month, indicating the affordability of these kinds of services.

Assessment

Cryptocurrency clippers generally appeared less frequently than drainers in the underground. Nevertheless, they fulfill a purpose in the world of cryptocurrency-related cybercrime and depend on a slightly different method of social engineering. By relying on victims not paying attention to the addresses they send and receive cryptocurrency from, clippers can be an effective way of duping less savvy cryptocurrency users. When used in conjunction with drainers or, as will be discussed below, cryptojacking malware or miners, clippers can be an effective tool for separating unsuspecting users from their cryptocurrency funds. When spread effectively, this malware can have wide-reaching effects. In the first three months of 2023 alone, one campaign that deployed itself via a trojanized version of a Tor browser download reportedly impacted 15,000 wallets and resulted in losses of US $400,000. As with drainers, it is likely clippers will see an increase in usage should cryptocurrency markets burgeon once more.

Cryptojacking Malware

Cryptojacking is the act of using another computer’s computational power to mine cryptocurrency. This is done without the knowledge or consent of the device’s owner. Cryptocurrency mining is a process that brings new coins into circulation by validating blockchain transactions and is completed by using computers to solve complex computational problems. This is often a highly intensive activity and uses large amounts of energy to create the new coins. The benefit of mining is that the miner is rewarded with cryptocurrency for completing the problems.

For high-value cryptocurrencies such as bitcoin, this can be a highly lucrative activity. In recent years, however, the rewards associated with cryptocurrency mining have reduced and the increasing computational power required has a serious financial impact on miners. As such, cybercriminals use cryptojacking malware as a way to cut overhead by hijacking the computational resources of victims. In this way, adversaries can receive the rewards of mining without the expensive outlay associated with mining itself.

Forms of Cryptojacking

Cryptojacking appears in a number of different forms. Though the general concept is the same – to hijack the resources of the victim without their knowledge – cryptojacking malware can be deployed in a number of different ways and preys on a variety of victim activity. Examples of different cryptojacking malware include:

  • Browser-based miners – These miners work in a victim’s browser by injecting a malicious JavaScript within an online advertisement or web page and remain active while the user is on the site or using the browser. As such, this is an effective form of miner on sites with long viewing times such as streaming or gaming sites.

  • Downloadable or host-based miners – These miners are downloaded onto a host machine as an executable file and directly use the machine’s resources to mine cryptocurrency. This form of miner is the most commonly observed.

Internet-of-Things (IoT) devices can also be used for mining as part of a botnet, though this is generally not considered profitable due to hardware limitations reducing the feasible mining rate.

Assessment

At present, browser-based cryptojacking malware is limited. Most cryptojacking malware observed is distributed as executable files designed to infect the host and take over the resources from there, such as the notorious XMRig. Intel 471 has generally observed quite low amounts of cryptojacking recently, though there is a precedent for use of cryptojacking to match surges in cryptocurrency prices, which happened in 2021.

Outlook

Despite the downturn in the cryptocurrency market over the past year or so, there remains an appetite for malware targeting cryptocurrency platforms and resources. Cryware is regularly adapting to changing security protocols, new blockchain technologies and real-world trends in cryptocurrency use. Generally speaking, cryware is dependent on social engineering to gain an initial foothold. Periods of time during which the cryptocurrency market is growing generate hype and greed among users, likely resulting in more risk-taking behavior, which can result in users unwittingly handing over access to their wallets and accounts to users of cryware. Though there is a steady flow in new cryware variants at present, many are very similar and often based on the wealth of open source scripts available on platforms like GitHub. It is likely that a future surge in the cryptocurrency market would result in renewed interest in cryware from more advanced actors and the development of new features, which may allow cryware to be less dependent on social engineering. Intel 471 will continue to monitor and report on developments in this space.