Malware descriptions

Analysis of malware from the MtGox Leak Archive

A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.

The file is a zip archive (MD5 90e78be95914f93030b04eaceb22b447). It contains different kinds of data. The biggest item inside is trades.zip, which is 620MB: this is actually publicly available data on MtGox trades. Finally, the archive contains software binaries for Window PC and Mac.

8198

MtGox leaked archive

We detect the Windows Trojan (MD5:c4e99fdcd40bee6eb6ce85167969348d), a 4.3MB PE32 executable, as Trojan.Win32.CoinStealer.i and OSX variant as Trojan.OSX.Coinstealer.a (ea722bea2a44cd06d797107d5ff9da92). Both have been created with the Livecode programming language v an open-source and cross-platform application development language. When the victim executes the application, it looks like the back-office software for accessing the databases of Mt. Gox-s owning company, Tibanne Co. Ltd..

8199

Executed application

The malware part is quite simple. The Livecode application contains the source code as an encrypted and packed binary that-s available when executed. We dumped the Trojan code from memory and analyzed it.

The malware creates and executes the TibanneSocket.exe binary and searches for the files bitcoin.confand wallet.dat v the latter is a critical data file for a Bitcoin crypto-currency user: if it is kept unencrypted and is stolen, cybercriminals will gain access to all Bitcoins the user has in his possession for that specific account.

8200

Bitcoin wallet search source code with decoded strings

When the Trojan finds Bitcoin files it sends the content to a webserver

8201

Communication code sample

The Command and Сontrol server, which used to be located in Bulgaria seems like has been shutdown is now offline.

Malware creators often using social engineering tricks and hot discussion topics to spread malware, and this is great example of an attack on a focused target audience.

Analysis of malware from the MtGox Leak Archive

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox