Much of the news in the financial sectors related to Bitcoin’s surge in value. With one Bitcoin trading at $11,000 a week ago, now soaring to $17,500 a week later. At the time of writing the cryptocurrency was sitting at approximately $16,500. Such a surge in price caused many economists to declare the cryptocurrency a danger to the market and obviously experiencing a bubble that will pop anytime soon. While the economists are expecting the bubble to pop, hackers are doing their utmost to steal the valuable commodity. With the surge in price came a surge in phishing attacks. The attacks were intended to phish login details to steal funds from accounts and wallets.
In hindsight, it only seems natural that when the price of Bitcoin climbs as it does, hackers would want a piece of the pie. The past week saw a surge in phishing attempts looking to steal credentials and gain access to investor’s funds. CheckPhish, a website that keeps track of recent phishing pages against high-profile brands, detected five phishing domains which targeted users of the popular Blockchain wallet service. Added to this several other researchers discovered numerous other attempts.
Blockchain was by no means the only recognized brand targeted. Hackers also targeted LocalBitcoin, a popular exchange. In another case, researchers at Fortinet also identified another campaign that targeted users with cryptocurrency-related lures in the hopes they'd download and run files on their PCs.
As with people trading currencies, trading in cryptocurrencies requires a great deal of attention in order to maximize profitability. Once you throw human emotion into the mix and the stress can become too much to bear. To prevent the premature onset of grey hair automatic trading applications, popularly known as trading bots, were developed. These bots monitor bitcoin price differences between different trading platforms. As soon as an opportunity to generate profit presents itself they automatically buy or sell bitcoin between the platforms, effectively arbitraging between the two. They cannot be considered fully autonomous as the criteria for an opportunity are still based on parameters set by the user.
Trading bots are not new but given Bitcoins prices surging there is a market for them. As there is a market for such bots there is likewise an opportunity to exploit users looking to use such applications. FortiGuards Labs’ Kadena Threat Intelligence System (KTIS) has spotted a new phishing campaign that targets bitcoin investors by offering Gunbot. This relatively new trading bot marketed to ensure users get more profit from there trades is instead executing an Orcus RAT malware that results in the loss of investments and more.
A spam email is sent to users in an attempt to lure them to download the “trading bot”. According to the email, the product is developed by GuntherLab or Gunthy. An attachment with the filename sourcode.vbs.zip is actually an archive that contains a simple VB Script with the same filename, which when executed downloads a file from https[:]//bltcointalk.com/flashplayer27pp_ka_install.jpeg. Although the extension suggests it is a JPEG image file, it is actually a PE binary file. It appears from the script that the authors behind the campaign had no intention of hiding the true purpose of the attachment. That or they lack the technical knowledge and purchased the RAT and used it in a similar method as to previous campaigns.
Analysis of the Orcus RAT
Initially, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures. Once the researchers at FortiGuard dug a little deeper they found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System. The malware, once executed, will check that only one instance of the malware is running. Then it checks to see if it’s running from the path %APPDATA%\Roaming\Microsoft\Windows\DwiDesk\nethost.exe. before installing the final payload. If not it creates a copy of itself in the said directory and executes from there instead.
The final payload includes the Orcus RAT. Orcus has been marketed as a Remote Administration Tool (RAT) since early 2016. What separates Orcus from other RATs is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. Added to that users can also execute C# and VB.net code on the remote machine in real-time. In practical terms, if a server component gets “installed” to your system, the person on the other side is practically in front of your machine while seeing and hearing you at the same time. This inevitably means it can activate your microphone. As a self-defense mechanism, the malware can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if someone tries to kill its process. Not the action of a benign software offering.
Not the First Time Phishing Attacks Target Bitcoin Investors
In December last year providers of cryptocurrency Wallets also saw a surge in phishing attempts. This was when Bitcoin had surpassed the $900 mark. In this instance, OpenDNS was hard at work tracing the phishing campaigns. In most instances, phishers were targeting Blockchain.info, the largest web-based Bitcoin wallet service. In order to carry out the attack Attackers record hundreds of Blockchain.info lookalike domains, usually involving a variation on the URL that includes a hard to spot typo. Fortunately, in this attack, most of the domains remained inactive and the ones that remained online are of an extremely low quality, most of them being nothing more than images with URLs mapped over button sections.
In order to not become a victim in instances of these attacks, Bitcoin users should be very careful these days, especially when accessing Blockchain.info and other wallet services via embedded links. Rather the best course of action is if users type in the URL by hand every time they access their wallet. This way, they can't be tricked by links malicious embedded online.