Security researchers have uncovered a new remote-access trojan for sale on the dark web that’s attacking hardware to monitor trading and cryptocurrency-related activities.

Zscaler ThreatLabZ team came across the new malware, called Saefko, which is written in .NET and has multiple functionalities. It belongs to the Remote Access Tool (RAT) family, enabling cybercriminals to take over accounts and automate fraud through opening a backdoor for remote control of the targeted computer.

Once installed on the device, fraudsters easily gain access to victim machines to steal credentials, monitor user behavior by logging keystrokes, activating the system's webcam, taking screenshots, formatting drives, and more. In other words, the intruder can do just about anything on the targeted computer, researchers said.

Zscaler ThreatLabZ team explains that RATs are usually downloaded when a user opens an email attachment or install infected apps or games to his device.

Most alarmingly though, is that Saefko employs a number of tactics to fetch the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, and shopping.

Among other things, it searches for particular crypto websites that have been visited by the user and sends collected data to its server for further instructions. The malware also looks for cryptocurrency info on the system to check if it’s worth compromising and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.

According to the researchers’ findings, the list of crypto sites it searches includes:

etoro.com 24option.com puatrack.com/coinbull2/ luno.com
paxforex.com binance.com coinbase.com cex.io
changelly.com coinmama.com xtrade.ae capital.com
paxful.com kraken.com poloniex.com gemini.com
bithumb.com xcoins.io cobinhood.com coincheck.com
coinexchange.io shapeshift.io bitso.com indacoin.com
cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz
pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br
bitflyer.com bitfinex.com bit-z.com quadrigacx.com
quadrigacx.com big.one lakebtc.com wex.nz
kuna.io yobit.io zebpay.com hitbtc.com
bx.in.th trezor.io electrum.org Blockchain.com
crypto.robinhood.com exodus.io mycelium.com bitcointalk.org
btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com
coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/
bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com
bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com
news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com

Saefko only installs itself if it thinks it will go undetected and after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.

The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen coins.

“To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT,” it explains.

Security researchers have uncovered a new remote-access trojan for sale on the dark web that’s attacking hardware to monitor trading and cryptocurrency-related activities.

Zscaler ThreatLabZ team came across the new malware, called Saefko, which is written in .NET and has multiple functionalities. It belongs to the Remote Access Tool (RAT) family, enabling cybercriminals to take over accounts and automate fraud through opening a backdoor for remote control of the targeted computer.

Once installed on the device, fraudsters easily gain access to victim machines to steal credentials, monitor user behavior by logging keystrokes, activating the system's webcam, taking screenshots, formatting drives, and more. In other words, the intruder can do just about anything on the targeted computer, researchers said.

Zscaler ThreatLabZ team explains that RATs are usually downloaded when a user opens an email attachment or install infected apps or games to his device.

Most alarmingly though, is that Saefko employs a number of tactics to fetch the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, and shopping.

Among other things, it searches for particular crypto websites that have been visited by the user and sends collected data to its server for further instructions. The malware also looks for cryptocurrency info on the system to check if it’s worth compromising and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.

According to the researchers’ findings, the list of crypto sites it searches includes:

etoro.com 24option.com puatrack.com/coinbull2/ luno.com
paxforex.com binance.com coinbase.com cex.io
changelly.com coinmama.com xtrade.ae capital.com
paxful.com kraken.com poloniex.com gemini.com
bithumb.com xcoins.io cobinhood.com coincheck.com
coinexchange.io shapeshift.io bitso.com indacoin.com
cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz
pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br
bitflyer.com bitfinex.com bit-z.com quadrigacx.com
quadrigacx.com big.one lakebtc.com wex.nz
kuna.io yobit.io zebpay.com hitbtc.com
bx.in.th trezor.io electrum.org Blockchain.com
crypto.robinhood.com exodus.io mycelium.com bitcointalk.org
btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com
coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/
bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com
bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com
news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com

Saefko only installs itself if it thinks it will go undetected and after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.

The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen coins.

“To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT,” it explains.