A recently discovered malware dropper has the ability to use nearly a dozen decoy document file formats to drop various payloads, Palo Alto Networks security researchers warn. Dubbed CARROTBAT, the customized dropper is being used to deliver lures primarily pertaining to the Korean region, revolving around subjects such as crypto-currencies, crypto-currency exchanges, and political events.
To date, Palo Alto Networks identified 29 unique CARROTBAT samples, containing a total of 12 confirmed unique decoy documents. The dropper first emerged in March 2018, but most of its activity was observed over the past three months.
Read more about the CARROTBAT malware dropper on SecurityWeek.
Cryptojacking, the hijacking of PCs and systems for the purpose of stealing CPU power in order to covertly mine for cryptocurrency, is becoming a thorn in the side of individuals and businesses alike. One in three organizations have been targeted by cryptocurrency mining malware.
Researchers from Check Point said in a blog post that one form of cryptomining malware, known as KingMiner, first appeared in June this year and is now out in the wild as a new-and-improved variant. The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. The miner is configured to use 75 percent of CPU capacity, but potentially due to coding errors, will actually utilize 100 percent of the CPU.
Read more about the newly discovered KingMiner malware on ZDNet.
Although the malicious code was discovered last week, researchers were able to determine its purpose recently, when they managed to decrypt and deobfuscate it.
A critical vulnerability in an Ethereum token made it possible for malicious actors to force cryptocurrency exchange desks to spend extremely high fees on transactions. Even worse, the attackers could abuse the bug for profit.
The flaw, discovered by a group of cryptocurrency researchers, resides in Ethereum-based cryptocurrency GasToken. It remains unclear precisely how many exchanges are potentially vulnerable to it, but the researchers have contacted a bulk of possibly affected platforms.
Read more about the critical vulnerability in GasToken on The Next Web.
A new, active campaign is using malware capable of dancing around traditional antivirus solutions in order to empty cryptocurrency wallets. The malware is being used in the DarkGate campaign, a previously undetected hacking operation uncovered this week by enSilo security researchers. According to the team, DarkGate is currently underway in Spain and France, targeting Microsoft Windows PCs by way of torrent files.
Torrent files are most commonly associated with pirated content, but the technology itself is not illegal. In this case, however, the infected .torrent files masquerade as pirated versions of popular television shows and films.
Read more about the malware used in the DarkGate campaign on ZDNet.
The epidemic of Twitter-based Bitcoin scams took another twist this week as attackers tweeted scams directly from two verified high-profile accounts. Cryptocurrency giveaway scams work by offering money to victims. There’s a catch, of course: They must first send a small amount of money to ‘verify their address’. The money in return never shows up and the attackers cash out.
Authenticity is a key factor in these scams. Accounts with verified status shown by a blue tick carry more of that. This week, criminals managed to compromise the official accounts of Google’s G Suite and Target and use these for Bitcoin giveaway scams.
Hackers have breached StatCounter, one of the internet’s largest web analytics platforms, and have inserted malicious code inside the company’s main site-tracking script. According to Matthieu Faou, the researcher who discovered the hack, this malicious code hijacks any Bitcoin transactions made through the web interface of the Gate.io cryptocurrency exchange.
Faou says the malicious code was first added to this StatCounter script over the weekend, on Saturday, November 3. The code was still live at the time of this article’s publication. According to a PublicWWW search, there are over 688,000 websites that currently appear to load the company’s tracking script.
Read more about the StatCounter breach affecting Gate.io on ZDNet.
A widespread scam pretending to be from Elon Musk and utilizing a stream of hacked Twitter accounts and fake giveaway sites has earned scammers over 28 bitcoins or approximately $180,000 in a single day. This scam is being pulled off by attackers hacking into verified Twitter accounts and then changing the profile name to “Elon Musk”. They then tweet out that he, being Elon, is creating the biggest crypto-giveaway of 10,000 bitcoins.
The sites that these fake profiles are promoting include musk[.]plus, musk[.]fund, and spacex[.]plus, which state that all a user has to do is send .1 or 3 BTC to the listen address in order to get 1 to 30 BTC back.
Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.
Cryptocurrencies are known to be used by North Korea as a form of foreign exchange. North Korean cybercriminals are thought to be behind many raids on cryptocurrency exchanges in recent years. Recorded Future now believes the country has also been involved in at least two cryptocurrency scams.
Read more about the analysis by Recorded Future on SecurityWeek.
Cryptocurrency exchange Trade.io has admitted to a security breach. The company said that an unknown party has withdrawn over 50 million Trade tokens (TIO) from its cold storage wallets. The funds are worth over $7.5 million at Monday’s TIO trading price. It is unclear how the hack happened.
Cold storage wallets usually take the form of custom USB-based devices containing login information for an account holding cryptocurrency funds. Trade.io said it stored its cold storage wallet in safety deposit boxes in banks. “We have confirmed that the safety deposit boxes were not compromised,” said Trade.io CEO Jim Preissler.
Read more about the mysterious Trade.io hack on ZDNet.