Apple users beware: a new and sophisticated form of malware has been uncovered by Kaspersky Labs, targeting the digital sanctuaries of cryptocurrency enthusiasts – their Bitcoin and Exodus wallets.
This malicious software, which has been found to affect users predominantly in the United States and Germany, is distributed through pirated applications and is specifically engineered to compromise macOS versions 13.6 (Ventura) and higher.
The malware operates by replacing legitimate wallet applications with trojanized versions, designed to stealthily steal the recovery phrases of unsuspecting victims. Once these phrases are obtained, attackers gain full control over the digital wallets, enabling them to transfer funds without the user’s consent or knowledge.
Our experts review a new #macOS backdoor exploiting cracked software, targeting #Bitcoin & #Exodus wallets. This malicious software replaces the wallets with #malware, deploying a potent backdoor running scripts with admin privileges.
Full report ⇒ https://t.co/eJXIdp9n3b pic.twitter.com/5Kw0ppUZYg
— Kaspersky (@kaspersky) January 22, 2024
How It Gets Distributed
The distribution method of this malware is particularly insidious. It is hidden within cracked software – a lure for users seeking free access to paid applications. Upon downloading and attempting to install these pirated apps, users are presented with a fake “Activator” program that requests the system admin password. This seemingly innocuous step is, in fact, the malware’s gateway to obtaining root access to the computer.
Once installed, the malware employs a novel technique using DNS TXT records to deliver an encrypted Python script. This script is responsible for establishing persistence on the infected system and downloading the main payload – a backdoor that allows the malware to execute commands, gather system data, and search for the presence of Exodus and Bitcoin Core wallets.
If such wallets are found on the infected system, the malware proceeds to replace them with infected versions. These compromised wallets are programmed to transmit sensitive information, such as secret recovery phrases, to a command-and-control server as soon as the wallet is unlocked by the user.
The implications of this malware are severe. As John Bambenek, President at Bambenek Consulting, points out,
“As the security to prevent stealing cryptocurrency relies on the privacy of the private wallet key and passphrase, stealing both means the attacker can immediately monetize the victim.”
This sentiment is echoed by Adam Neel, Threat Detection Engineer at Critical Start, who highlights the use of social engineering tactics, such as offering pirated software, to lure victims into downloading malware.
The FBI has issued warnings about the rise of such malware practices, and it’s not the first time that cryptocurrency wallets on macOS have been targeted. In the past, the Lazarus Group, linked to North Korea, has been implicated in similar attacks. Despite a slight decline in hacking incidents in 2023, the stakes remain high, with $2 billion stolen in crypto thefts, and a staggering $1.7 billion attributed to North Korean hackers in 2022 alone, allegedly to fund their nuclear weapons programs.
Security experts are urging users to exercise caution. Sergey Puzan, a security researcher at Kaspersky, advises against downloading cracked or modified apps, stating,
“The only reason malicious actors use cracked versions of applications is to lower the user’s guard and prompt them to enter the admin password, thereby granting root access to the malicious process.”
He further explains that the malware’s targeting of newer macOS versions suggests that the campaign is still in development.
Prevention Strategies
For those concerned about their digital safety, Kaspersky recommends downloading software only from trusted websites, keeping systems updated, and employing reliable security solutions. Users are also encouraged to update their operating systems regularly, install anti-malware software, and refrain from downloading apps from unofficial sources.
The discovery of this malware serves as a stark reminder of the ongoing risks associated with downloading cracked software and underscores the importance of maintaining robust security practices, especially when it comes to the protection of sensitive cryptocurrency assets.
The tactics employed by the attackers are not limited to the malware itself. They also involve creating a sense of legitimacy around the infected applications. By using cracked software as a vehicle for the malware, attackers exploit the user’s desire for free access to paid apps, thereby lowering their defenses and increasing the likelihood of successful infection.
Recent Malware Attacks on Crypto Wallets
The past incidents involving similar malware attacks on cryptocurrency wallets highlight a broader trend. Over $4 million was stolen through fake airdrops and scams on the Solana network, and hackers tied to North Korea’s Lazarus group stole over $35 million from Atomic Wallet users. These events underscore the importance of vigilance in the face of increasingly creative and sophisticated cyber threats.
Moreover, it’s worth noting that even hardware wallets like Trezor, often touted as a more secure option for storing cryptocurrency, are not immune to such threats. A fake Ledger app previously led to the theft of 16.8 Bitcoin, demonstrating that attackers are continually finding new ways to circumvent security measures.
In light of these threats, JP Richardson, CEO of Exodus Wallet, has emphasized the company’s commitment to safeguarding customers, recommending the use of hardware wallets for additional security. However, he also acknowledges the alarming impact of malware attacks that leverage social engineering to deceive users.
To combat these risks, Kaspersky’s report on the malware provides detailed insights and serves as a critical resource for understanding the threat landscape. Additionally, resources such as Decrypt’s guide on cybersecurity in Web3 offer valuable information on protecting oneself and one’s digital assets.
Stay On Your Toes
In conclusion, the discovery of this new MacOS malware targeting Exodus and Bitcoin wallets is a stark reminder of the ever-present dangers in the digital world. Users must remain vigilant, skeptical of too-good-to-be-true offers like cracked software, and invest in robust cybersecurity measures to protect their valuable digital assets.
As the landscape of cyber threats continues to evolve, staying informed and prepared is the best defense against these sophisticated attacks.