Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks.
The tech company dubbed this new threat “cryware”, with attacks that result in irreversible theft and transfer fraud to adversary-controlled wallets.
“Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets,” Berman Enconado and Laurie Kirk of the Microsoft 365 Defender Research Team said in a new report.
” Hot wallets are more dangerous than custodial ones because they are kept on the device. They allow for easier access to cryptographic keys that are needed to execute transactions and are more accessible. “
Attacks of this kind are not theoretical. Earlier this year, Kaspersky disclosed a financially-motivated campaign staged by the North Korea-based Lazarus Group, which involved targeting crypto companies with malware designed to drain funds out of hot wallets.
Cryware includes the following threats –
- Cryptojackers that surreptitiously consume a target’s device resources to mine cryptocurrency
- Ransomware campaigns that make use of cryptocurrency as a ransom payment to avoid detection
- Information stealers (e.g., Mars Stealer, RedLine Stealer, Arkei, and Raccoon) that are being increasingly upgraded to siphon hot wallet data alongside other valuable information stored in the system, and
- ClipBankers (aka clippers) that steal cryptocurrency during transactions by monitoring the clipboard and replacing the original wallet address with the attacker’s address
These information-stealing attempts aim to steal hot wallet data like private keys, seed phrases and wallet addresses. This allows the threat actor initiate rogue transaction and transfer funds to another wallet.
Other techniques used by cybercriminals include memory dumping, keylogging, keylogging, and keylogging. These keyloggers can also be seen creating lookalike wallet sites to trick victims into entering private keys.
To mitigate these threats, Microsoft recommends users and organisations to secure hot wallets, disengage sites from a wallet and avoid plaintext storage of private keys. They also suggest that you verify the address of your wallet when pasting or copying information.
“Cryware signifies a shift in the use of cryptocurrencies in attacks: no longer as a means to an end but the end itself,” the researchers said.