EXECUTIVE SUMMARY:

Microsoft warns of “Cryware” infostealing malware that targets cryptocurrency wallets.

What is Cryware?

Cryware attacks lead to the irreversible theft of virtual currencies through fraudulent transfers to adversary controlled wallets. Cryware information stealers collect and exfiltrate data directly from “hot” wallets or online cryptocurrency wallets.

Due to the fact that hot wallets are stored locally on a device, and because they provide easier access to cryptographic keys required for transactions, an increasing number of threats now target them.

Cryware attacks

Cryware attacks are not simply an attack type identified by academic researchers. Earlier this year, one cyber security firm discovered a financially motivated campaign created by the North Korea-based Lazarous Group that involved hacking cryptocurrency companies with malware that retrieved money from hot wallets.

Cryware encompasses the following threat types

• Cryptojackers. These surreptitiously devour a victim’s computing power or device resources to mine cryptocurrency.
• Ransomware. These attacks can use cryptocurrency as a ransom payment for detection evasion purposes.
• Information stealers. These tools (for example, Mars Stealer) are continually seeing upgrades that enable them to steal hot wallet data along with other valuable information.
• ClipBankers. Otherwise known as ‘clippers’, ClipBankers monitor the clipboard and replace an original wallet address with that of the attacker/s.

To steal cryptocurrency funds, cyber criminals have also deployed techniques such as memory dumping (displaying private keys in plain text), keylogging (which captures keystrokes typed on a device), or lookalike wallet websites, which dupe users into entering private keys.

Threat mitigation

In order to mitigate these types of threats, Microsoft recommends that individual users and organizations:

• secure hot wallets
• lock hot wallets when not trading
• disconnect sites that interoperate with a wallet
• avoid storing private keys in plain text
• confirm the wallet address when copying and pasting information
• consider wallets that implement multi-factor authentication

According to security researchers, Cryware represents a shift in how hackers go about the theft of cryptocurrency information.

Critique of Cryware

Non-Microsoft experts have pointed out that the Cryware-type threat is nothing new. Software with the ability to steal information about cryptocurrency wallets and/or capabilities sophisticated enough to steal actual cryptocurrency has been around for years.

Editor-in-Chief of BleepingComputer, Lawrence Abrams, stated “Please stop making up new malware classifications. It’s confusing enough for many as it is,” while journalist Kim Zetter weighed in with “Marketing departments are out of control.”

Cryware or cry wolf, Microsoft’s intention is to send a message to users regarding the use of malware for cryptocurrency info theft. Microsoft acknowledged that the technique is not entirely new, but that security experts have observed an increase in its prevalence.

Closing thoughts

Cryware is believed to retain the potential to cause severe financial impact for individuals and organizations alike. This has to do with both how blockchain operates and the fact that support systems do not exist to assist with the recovery of stolen cryptocurrency.

Again, these threats typically steal cryptocurrency information via wallet theft, clipboard manipulation, phishing, scams or even misleading smart contracts. Opt for outstanding prevention solutions and take a defense-in-depth approach.

For more information about Cryware, see Microsoft’s blog post. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.