A new malware that steals passwords and bitcoin from cryptocurrency wallets has been discovered by Cyren, an Internet security service provider, according to the company’s blog. The malware targets banking customers, and according to Cyren, is carrying out a massive campaign.
The emails inform the recipient of a deposit. The emails originate mainly from bots in the United States and Singapore, and are branded as being from various banks, including Emirates, NDB and DBS.
The malware is a keylogger that is carried as an attachment to emails for fake bank transfers. Once the victim opens the attachment, the malware can record everything the victim types on their keyboard and every place they place their mouse.
The malware queries the victim’s registry for passwords and other information related to various types of software. The subject line usually has financial details like an online wire transfer payment notification. The attachments have a SWIFT variation, making the emails look legitimate. SWIFT codes identify financial institutions for fund transfers.
Files that appear to be PDF are really executable files, according to Cyren. Once executed, the file deletes itself and opens a new one called “filename.vbs” in the Windows startup folder. When the computer boots, the software executes itself.
The malware collects passwords and other information, focusing on web browsing software and FTP software. It gathers usernames, passwords, cookies, browsing history and more.
The malware looks for cryptocurrency wallets and targets a long list of currencies, including bitcoin, Namecoin, Litecoin, Anoncoin, BBQcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin and Zetacoin.
Image from Shutterstock.