Cryptocurrency hacks and forced thefts are all around us. With an industry that rakes in billions of dollars yearly, you would think that anyone looking to enter the sector would have to pay a pretty penny. Well, you would be wrong. Earlier this week, several reports revealed that the MasterMana Botnet, a new virus that sells for just $160, is doing its bit to wreak havoc on the crypto space as well.
MasterMana Botnet and Classic Phishing
Cybersecurity researchers have identified that MasterMana targets businesses, stealing cryptocurrencies, and sensitive data in exchange for ransoms. The campaign is reported to be connected to the “Gorgon Group,” a group of hackers that has been linked to several criminal activities and even attacks on governments as well.
A research report conducted by cybersecurity firm Prevalion revealed that the MasterMana operation began in December 2018, while also noting that the attacks have been rather indiscriminate. The Trojan reportedly makes use of mass mailing to send phishing emails, as well as attachments which contain malicious code, to the victims.
Once a potential victim clicks on the Email, the code creates backdoors on their computer and accesses their cryptocurrency wallets.
The firm added,
The cybersecurity firm estimates that about 3,300 machines have been infected by the trojan so far. The backdoors that have been identified are Revenge Rat or an Azorult. Revenge Rat is rather popular, as it allows a machine to be remotely accessed. However, Prevalion examined Azorult and discovered that it was built to steal passwords, usernames, cookies, and access web histories and the contents of crypto wallets as well.
Prevalion added that Azorult could upload and download files, as well as take screenshots of the machines. MasterMana is also noteworthy for the way that it evades detection by pulling code from several third-party websites, including Pastebin, Bitly, and Blogspot.
The List is Increasing
MasterMana is just the latest in the strings of malware being found that can affect cryptocurrencies. The crypto market has seen a comeback in 2019, and attackers are more than happy to profit off that as well.
Just last week, American Internet infrastructure firm Juniper Networks announced that it had discovered spyware which uses Telegram to replace crypto addresses with its own.
In a report, Juniper Threat Labs (a threat intelligence division at the company) revealed that it had found the Masad Clipper and Stealer, a Trojan-delivered malware that has been making the rounds on black market forums. Per the report, the spyware steals a broad list of browsing data, including credit card information, passwords, and names.
However, the kicker for this malware is that it comes with a function that replaces crypto wallets from the clipboards with the one from the attacker. The clipping feature reportedly supports several tokens, including Bitcoin, XRP, Ether, Bitcoin Cash, and Litecoin.
Masad uses Telegram as a Command and Control channel, thus operating anonymously. After being installed, it reportedly starts by gathering sensitive information from the system, including system information, wallet addresses, browsing data, credit card details, ad more. Once these are compiled, the total data is sent to a Telegram bot managed by the attacker, which also sends commands to the spyware.