Fake cryptocurrency wallet carries ransomware, leads to spyware

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

People around the world are rushing to acquire all kinds of cryptocurrency, hoping that prices will go up and they will be rolling in money when they sell their investment stash. Criminals have, expectedly, noticed the rush and are doing their level best to cash in on it.

The latest attack on cryptocurrency-hungry users comes in the form of fake wallet software carrying ransomware.

fake cryptocurrency wallet carries ransomware

About the malware

Fortinet FortiGuard Labs researchers have spotted and analyzed “Spritecoin,” a fake wallet application that not only carries ransomware, but also an information-stealing component.

The fake wallet is apparently being advertised on a variety of online forums. The link takes users to a page explaining what SpriteCoin is and offers a link to download the wallet.

Once the victim downloads and installs the offered executable (spritecoind.exe), they are asked to enter a password for the wallet and to wait until the app downloads the blockchain:

fake cryptocurrency wallet carries ransomware

Unfortunately for the victims, there is no real SpriteCoin, and the software does not download a blockchain.

Instead, while users are waiting, the malware exfiltrates login credentials from the users Chrome and Firefox credential stores, encrypts their files and demands 0.3 Monero for the decryption key.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr. While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before,” the researchers shared.

The criminals behind this scheme rely on users trusting random offers on the Internet, downloading and starting the malware themselves, and not having offline backups of their most important files.