Malicious Malware Saefko Digs into Devices of Crypto Users

by Aziz Abdel-Qader
  • Among other things, Saefko searches for particular crypto websites that have been visited by the user.
Malicious Malware Saefko Digs into Devices of Crypto Users
Finance Magnates
Join our Crypto Telegram channel

Security researchers have uncovered a new remote-access trojan for sale on the dark web that’s attacking hardware to monitor trading and cryptocurrency-related activities.

Zscaler ThreatLabZ team came across the new malware, called Saefko, which is written in .NET and has multiple functionalities. It belongs to the Remote Access Tool (RAT) family, enabling cybercriminals to take over accounts and automate fraud through opening a backdoor for remote control of the targeted computer.

Once installed on the device, fraudsters easily gain access to victim machines to steal credentials, monitor user behavior by logging keystrokes, activating the system's webcam, taking screenshots, formatting drives, and more. In other words, the intruder can do just about anything on the targeted computer, researchers said.

Zscaler ThreatLabZ team explains that RATs are usually downloaded when a user opens an email attachment or install infected apps or games to his device.

Most alarmingly though, is that Saefko employs a number of tactics to fetch the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, and shopping.

Among other things, it searches for particular crypto websites that have been visited by the user and sends collected data to its server for further instructions. The malware also looks for cryptocurrency info on the system to check if it’s worth compromising and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.

According to the researchers’ findings, the list of crypto sites it searches includes:

etoro.com24option.compuatrack.com/coinbull2/luno.com
paxforex.combinance.comcoinbase.comcex.io
changelly.comcoinmama.comxtrade.aecapital.com
paxful.comkraken.compoloniex.comgemini.com
bithumb.comxcoins.iocobinhood.comcoincheck.com
coinexchange.ioshapeshift.iobitso.comindacoin.com
cityindex.co.ukbitbay.netbitstamp.netcryptopia.co.nz
pro.coinbase.comkucoin.combitpanda.comfoxbit.com.br
bitflyer.combitfinex.combit-z.comquadrigacx.com
quadrigacx.combig.onelakebtc.comwex.nz
kuna.ioyobit.iozebpay.comhitbtc.com
bx.in.thtrezor.ioelectrum.orgBlockchain .com
crypto.robinhood.comexodus.iomycelium.combitcointalk.org
btc-e.commoonbit.co.inbitcoinaliens.combitcoinwisdom.com
coindesk.comcointelegraph.comccn.comreddit.com/r/Bitcoin /
bitcoin.org/en/blognewsbtc.comblog.spectrocoin.comblog.coinbase.com
bitcoinist.comforklog.comabitcoinc.combitcoin.stackexchange.com
news.bitcoin.comblog.bitfinex.comblog.genesis-mining.com

Saefko only installs itself if it thinks it will go undetected and after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.

The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen coins.

“To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT,” it explains.

Security researchers have uncovered a new remote-access trojan for sale on the dark web that’s attacking hardware to monitor trading and cryptocurrency-related activities.

Zscaler ThreatLabZ team came across the new malware, called Saefko, which is written in .NET and has multiple functionalities. It belongs to the Remote Access Tool (RAT) family, enabling cybercriminals to take over accounts and automate fraud through opening a backdoor for remote control of the targeted computer.

Once installed on the device, fraudsters easily gain access to victim machines to steal credentials, monitor user behavior by logging keystrokes, activating the system's webcam, taking screenshots, formatting drives, and more. In other words, the intruder can do just about anything on the targeted computer, researchers said.

Zscaler ThreatLabZ team explains that RATs are usually downloaded when a user opens an email attachment or install infected apps or games to his device.

Most alarmingly though, is that Saefko employs a number of tactics to fetch the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, and shopping.

Among other things, it searches for particular crypto websites that have been visited by the user and sends collected data to its server for further instructions. The malware also looks for cryptocurrency info on the system to check if it’s worth compromising and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.

According to the researchers’ findings, the list of crypto sites it searches includes:

etoro.com24option.compuatrack.com/coinbull2/luno.com
paxforex.combinance.comcoinbase.comcex.io
changelly.comcoinmama.comxtrade.aecapital.com
paxful.comkraken.compoloniex.comgemini.com
bithumb.comxcoins.iocobinhood.comcoincheck.com
coinexchange.ioshapeshift.iobitso.comindacoin.com
cityindex.co.ukbitbay.netbitstamp.netcryptopia.co.nz
pro.coinbase.comkucoin.combitpanda.comfoxbit.com.br
bitflyer.combitfinex.combit-z.comquadrigacx.com
quadrigacx.combig.onelakebtc.comwex.nz
kuna.ioyobit.iozebpay.comhitbtc.com
bx.in.thtrezor.ioelectrum.orgBlockchain .com
crypto.robinhood.comexodus.iomycelium.combitcointalk.org
btc-e.commoonbit.co.inbitcoinaliens.combitcoinwisdom.com
coindesk.comcointelegraph.comccn.comreddit.com/r/Bitcoin /
bitcoin.org/en/blognewsbtc.comblog.spectrocoin.comblog.coinbase.com
bitcoinist.comforklog.comabitcoinc.combitcoin.stackexchange.com
news.bitcoin.comblog.bitfinex.comblog.genesis-mining.com

Saefko only installs itself if it thinks it will go undetected and after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.

The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen coins.

“To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT,” it explains.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}