Beware of Malicious Crypto Management App that Drains Your Wallet

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cryptocurrency scams are becoming increasingly sophisticated. This article delves into the intricacies of these scams, providing insights into how they operate and offering tips on how to protect your cryptocurrency assets.

The scam begins innocuously with a forwarded Telegram message about a cryptocurrency sale. The message includes a five-second video clip featuring a screenshot of a heavily discounted sale of two lucrative crypto projects, complete with links.

The first link leads to a legitimate, albeit small, crypto exchange, while the second link is where the real danger lies. A recent investigation by Kaspersky has unveiled a particularly cunning scam involving a malicious crypto management app designed to drain unsuspecting users’ wallets.

A Convenient Server Malfunction

Upon clicking the second link, users are not immediately exposed to malicious content. Instead, they are presented with a root directory listing containing enticing file names.

This makes it appear that the server has been misconfigured, revealing sensitive data. The files include wallet details, seed phrases, and screenshots of substantial wallet balances and lavish lifestyles.

A visitor sees a list of files in the root folder. There isn’t a single HTML file

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Real Wallets and Cash

The scam’s brilliance lies in the fact that the wallet details provided are accurate. Users can access these wallets and view transaction histories and assets worth nearly $150,000.

The Exodus wallet is empty, but it’s real, and someone used it quite recently

However, the funds are staked, meaning they cannot be withdrawn. This creates a false sense of security, making the scam appear legitimate and not a typical phishing attempt.

The Next Stage: A New Hope

The active phase kicks off: a wallet seemingly containing about a million dollars

After two months of monitoring user behavior, the scammers escalate the attack. A new Telegram screenshot shows a successful Monero payout and a sizable balance of almost 6000 Monero tokens, worth about a million dollars.

Alongside this screenshot is a text file containing the wallet’s seed phrase, which lures users into attempting to access the funds.

The Trap: Electrum-XMR Wallet

The “right” version of the wallet appears at the top of the search results

Users, driven by greed, download an Electrum wallet to access the Monero funds. However, Electrum only supports Bitcoin, not Monero.

The scammers have cleverly created a fake Electrum-XMR wallet app, which appears at the top of search results.

This app, once downloaded and installed, infects the user’s computer with malware, giving the attackers remote access to steal crypto wallet data and other valuable information.

A Second Iteration

The scammers have refined their approach over time. In a subsequent iteration of the scam, they present a screenshot of a fake wallet with a large balance, an open text file containing personal information, and a link to a malicious site.

Version two saw the scammers get right down to it by collecting all relevant information in one screenshot

This streamlined approach indicates the effectiveness of the scam and suggests that similar attacks are likely to continue. While the initial victims of this scam were individuals attempting to steal others’ money, the scammers’ tactics are evolving.

Future iterations of the scam may target a broader audience with seemingly ethical opportunities to make money. For instance, users might receive a screenshot advertising a lucrative airdrop with a link in the address bar.

The sophistication of cryptocurrency scams is a stark reminder of the importance of vigilance in the digital age.

By understanding the methods used by scammers and taking proactive measures to protect your assets, you can navigate the world of cryptocurrency with greater confidence and security.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access