Kaspersky researchers have discovered a dangerous campaign through which attackers steal cryptocurrencies, affecting more than 15,000 users in 52 countries. Distributed under the guise of Tor Browser, the malware works by replacing part of the typed content with the cybercriminal’s digital wallet address, instead of the rightful owner’s, every time it detects a wallet address being typed. So far in 2023, cybercriminals have been able to steal around $400,000 using this malware.
Although this technique has been around for more than a decade and was originally used by banking Trojans to replace bank account numbers, with the rise in popularity of cryptocurrencies, this new type of malware is now actively targeting cryptocurrency owners and traders.
A recent malware development involves the use of the Tor Browser, a tool used to access the deep web. The target user downloads a trojanized version of Tor Browser from a third-party resource that contains a password-protected RAR archive. The purpose of the password is to prevent detection by security solutions. Once the file is placed on the user’s system, it registers itself at system startup and is masked with the icon of a popular application such as uTorrent.
Kaspersky technologies have detected more than 15,000 attacks using malware using this type of infiltration, all targeting cryptocurrencies such as Bitcoin, Ethereum, Litecoin, Dogecoin and Monero. These attacks have spread to at least 52 countries around the world, most of which have been detected in Russia, due to users downloading the infected Tor browser from third-party websites, with the browser officially blocked in the country. The top 10 affected countries also include the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France. That means the actual number of infections may be much higher than reported.
Based on the analysis of existing samples, the estimated user losses are at least $400,000, but the actual amount stolen could be much higher, given that this research only focuses on forcing the Tor browser. Other campaigns may use different software and malware delivery methods, as well as other types of wallets.
To keep your cryptocurrencies safe, Kaspersky experts recommend the following:
- Only download software from trusted sources: Avoid downloading software from third-party websites and use official sources whenever possible. Always verify the authenticity of the software before downloading it.
- Keep your software up-to-date: Make sure your operating system, browser, and other software are up to date with the latest patches and security updates. This helps prevent the exploitation of known vulnerabilities.
- Use security solutions: A reliable security solution will protect your devices from various types of threats. Kaspersky Premium prevents against known and unknown malware targeting cryptocurrencies.
- Be careful about links received in e-mail and other documents: do not click on links or download files from suspicious or unknown sources, as they may contain malware.
- Check for digital signatures: Before downloading any software, check for digital signatures to ensure that the software is genuine and has not been tampered with.
