Bitcoin traders beware: Fake trading bot offer delivers RAT

As the price of Bitcoin keeps hitting surprising heights, more and more cyber crooks are turning their sights on anything and anyone who trades or uses the popular cryptocurrency.

The latest attempt to deliver malware to a specific group of Bitcoin users was spotted by Fortinet researchers.

A RAT is delivered

The malicious offer comes via email: a free trial of Gunbot, a new bitcoin trading bot developed by Gunthy:

Fake trading bot offer delivers RAT

The email carries an attachement – a VB Script that, when executed, downloads a file that looks like a JPEG image file, but it’s actually a PE binary.

“At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures. After further analysis, however, we found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System,” the researchers found.

Ultimately, this malicious file ends up installing a number of executables.

One of these executables makes sure that the malware will be executed each time the system is rebooted. Another one is the Orcus RAT server.

“Orcus, although advertised as a Remote Administration Tool, offers features that are beyond that scope. For instance, the user has the ability to disable the light indicator on webcams so as to not alert the target that it’s active. It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” the researchers noted.

“A plugin that can be used to perform Distributed Denial of Service (DDOS) is also available directly from their repository. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

Just a part of a broader malicious effort

The site from which the malware is downloaded is parked on the https://bltcointalk(.)com domain, which is still up and accessible, and researchers found other domains registered by the same actor:

OPIS

It seems obvious they are meant to host fake sites impersonating Bitcoin and Litecoin marketplace and auction site Bitify, Bitcoin forum Bitcointalk, the Github code repository, and the Gunthy website.

Some of these domains are active, and sport decent copies of the legitimate sites they impersonate. They have likely been set up to harvest login credentials or make visitors download malware.