Week 42, 2019

Chainalysis | Algo | Graboid | Phorpiex | CryptOsint

This week we have observed an uptick in backdoored wallet and other software designed to steal users’ cryptocurrency assets. Other news include a fascinating deep dive into DOJ investigation into a child pornography ring, disappointing details into the Algo Capital hack, and lot’s of indicators for mining malware. Also don’t forget to subscribe to Bellingcat’s new CryptOsint Newsletter!

Crime

Hacks

Media

Malware

  • Hiding Beneath the WAV - a report by Cylance describes a crypto miner campaign using steganography to hide XMRig miner and Metasploit payloads in WAV files. The loader is related to Waterbug/Turla campaign previously reported by Symantec.

  • Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub - a new cryptomining worm which spreads using unsecured Docker daemons. The worm installs a malicious docker image which includes scripts to mine Monero.

    Indicators:
    120.27.32[.]15
    103.248.164[.]38
    101.161.223[.]254
    61.18.240[.]160
    182.16.102[.]97
    47.111.96[.]197
    106.53.85[.]204
    116.62.48[.]5
    114.67.68[.]52
    118.24.222[.]18
    106.13.127[.]6
    129.211.98[.]236
    101.37.245[.]200
    106.75.96[.]126
    47.107.191[.]137

  • Fleecing the onion: Darknet shoppers swindled out of bitcoins via trojanized Tor Browser - a trojanized version of Tor Browser was used to spy on users and steal their bitcoins. The campaign targeted Russian speaking darknet market users.

    Indicators:

    URLs:
    torproect[.]org
    tor-browser[.]org
    onion4fh3ko2ncex[.]onion

    Bitcoin Addresses:
    3338V5E5DUetyfhTyCRPZLB5eASVdkEqQQ
    3CEtinamJCciqSEgSLNoPpywWjviihYqrw
    1FUPnTZNBmTJrSTvJFweJvUKxRVcaMG8oS

  • In the Footsteps of a Sextortion Campaign - details of the Phorpiex malware spam campaign. The spam emails were unique by including victim’s leaked online passwords and demanding ransom in bitcoin for keeping webcam recordings private. The campaign may be related to another Save Yourself blackmail/cryptominer campaign reporter earlier.

    Indicators:

    Bitcoin Addresses

    1Eim8U3kPgkTRNSFKN49jgz9Wv4A1qmcjR
    1LwPAckT7ettEpLEuAU2dBXbqqSd9SrLAD
    1D1nXbBdPmCpy9rPRdtaXjA5ftGzYPPw51
    1LZStbAiQYiBGUTEH8mbTYu8pbvmrDprZQ
    1FLREuhB3U56yJBTTsj6zzEXjNf4BTzeZr
    1QBfCvZUuA3fbXX9bHeeTpqzkYgikvhtXR
    1F73edsje5GbjqybTgKAesWfihvp4Q59Eq
    13HffyTVP8qcYzd5tga4Bc6rCGETNbbZuD
    1MnUgqSkToq3j7ozwjSh54m1WxWZ3Xqym6
    12EMaHiZG75ztkjUjuPZhQDcyW89qRJVuR
    15WGVWt16CzuK3opvJHg6i1XSstbXGEPcZ
    1PC3q4JgAJvHcpsT2LqwoqVN2ckzAVQoxf
    1Nq84HeDmd2JGyRtjqh32QRG4zoSrp8bdL
    16JApT2K6Z9AirkMeBSWyhwuJ8dCfRhY9U
    1GTzcCBW79F3BtBdN9jx7hqNq65ebbt1Wm
    19naMJAmQq6b9XJaSaWpw2MTBBVeW355Ro
    1HB3KtKoguFuZ4BdmCv9Fc4tYTwDQgmqmW
    1PzrJSAhZSiYK93qLZnKsRzQzS49j5Ugzc
    1BpwthndBC2aDHiztoMtMBnq7ejmNkHnSV
    1CSDpCjyVHsuTb6i7zZ8dr81iUGL5ff7vM
    1Lmb3V8PbqTtGmFawu41k9hSXZgJn4G2pS
    1MX8BUf7R4rE7xLoaVMyiceX8DE8D3aFQg
    1KDnUbAHkxb57RYjJufdmjYF9F4vFWjm5m
    1BdMo6PKJCR9S6FzLDtE4ChszHdrJdbWJ7
    12ZyXPMJBAFCfpyYTYo8V6QcG653Lcs9oj
    154J36DXD2wA512cJRdAJsr1KcKynbVtpM
    15xdJ5nhwQCTFGs9AqciPGxgf62hGdWog7
    15w8KYwC76vDRiSZD2LK6dEbHvs7N38mh6
    1GLJa8dMq9XBaiMhXNJSQjVoNzh2xRanzD
    15dut9dbaZbSKZq27tyuLkjhCEiRaewvvh
    14VYd5JrPrrXD1qiMxZ5An2VsU5db5ZqS7
    1PTNbkmQckDTjbhCMtfa5zqY992ZNZ8biG
    17v35QnAre7Vd2T74SD9xhEGJVwYfTPDhN
    1HwJeZ5uyNJ6Peq8x1wixKVnurY1yURK8P
    1Mh8T6eVbP8zCRPzUqbb7b9PiW6Wv3mRPY
    1LfYcbCsssB2niF3VWRBTVZFExzsweyPGQ
    1PcZSbbc4u4juK64mpFSWwcR9hESPboRH8
    1AEb2hcPpxDs89AJojyySyiZdW4vdEumZN
    17jHsGecV53ro2LGzo53s5trTH6Qf3gksS
    18jZzWe4Wv4mUNm93rjeWJscqPdhecwsAY
    1CEi7Py9hNgMwqPMiCphFuF6SF263v7Yqj
    1AiBJcWZYQrz5Z9S9X7nYNueznU7iU5V5h
    1EwCEJr5JwpafZx11dcXDtX5QSPJvzth17
    1HctxwLwjEFCacTPi83me927UBs7aTJ7LF
    14AuMKdDV5s6xmGa13xw6F9hc1CwntkcfT
    14poC1Jg97vuvsyoKSZYz7h276LoAZcrtn
    1NpjBxiLhQQ5VVyDMrxESoA5HoHLLQXABa
    12KkDhdBX2zNv24D7SgBBrEBme7eNddvUj
    1JrdZLfH6j9KP2GjCJc7PhxwrrYKGYoSEi
    1Fjg3Q89MawTyfNcMbX6MUnfT923icRuMy
    1L9H1CtLsDCTtuvdE9hqpm9BD72jYBtvDF
    1PuxZLDEz2as13NKcTzC2BGadF2g2zhdfo
    1DZNohaDckSxJu6YxfeGkqCtxDAhtFP3Jq
    19razyqXme4evPi2wS9Zf8kor3VaYG8dTN
    1CWHmuF8dHt7HBGx5RKKLgg9QA2GmE3UyL
    1FqAEDNBFFjBZuVzk7V94tKgGwhVa8qABt
    1BXavFhbxCpno2dFpS4BU4NvEJjjqCN8Kd
    1164VJYmR8nP8z1NSPHqQreVWCMq2QdqUJ

  • SAFU Wallet is Malicious, Binance Warns Community Members - a malicious chrome extension designed to steal cryptocurrency wallet private keys and passwords.

    Indicators:
    Attacker’s address: bnb168zhf9n3ve4mj35sgmtrvz54uyzc9r3e3xrder

  • Backdoored ZecWallet - there is a malicious version of the ZCash wallet software floating around according to the PSA by the Electric Coin Company.

That’s all for this week in blockchain threat intelligence. Stay safe and see you all next week!


Protect Your Crypto

Buy a hardware wallet: