Pages:
Author

Topic: Beware! MultiPlatform Malware Try To Steal Your Wallet (Read 3607 times)

sr. member
Activity: 467
Merit: 267
Someone decompiled the jar at https://bitbucket.org/indistic/rat/src

It's a trojan that turns your machine into a bot.
From what I see from the source code...

It connects to a remote server, logins with the credentials that are in its config.xml
Then it waits for orders.
There are several commands. You can see in the options folder.
- pop up some message window
- execute arbitrary system commands,
- execute code that it sends to you,
- upload a plugin, i.e. new code to enhance its functionality
- browse to a url
- upload a screenshot

Yeah ... it's pretty bad.

--h
member
Activity: 119
Merit: 10
Wait - let me get this straight - you got an email with an executable attachment - and you ran it?

Um.

*walks away from computer*

And.....
Then goes on to say "I use GNU/Linux and even GNU/Linux are vulnerable!"
legendary
Activity: 1274
Merit: 1004
It's unrecom aka adwind rat.
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
"I downloaded and run the attachment ...."


there i stopped reading.
hero member
Activity: 798
Merit: 1000
I've gotten emails like this too, only it hasn't been anything to do with Bitcoin (so far). I'm sorry you had to learn this lesson the hard way. This is why I don't like downloading anything that has a .tar.gz, .RAR or .EXE extension unless it's from the official website and I know exactly what it's supposed to do. If you just get an email from somebody claiming to be a service you use out of the blue, open another tab on your browser and go DIRECTLY to the official website so you can see what's really going on.
full member
Activity: 164
Merit: 100
I did not want to ask.
I wanted to run in a VM under ubuntu on a newly formatted laptop without personal data. I wanted to analyze it, do some network captures and putting infected files on my VM. But I read "this RAT actually checks if virtualbox is installed and running, and exits if it is. So it tries to evade analysis That Way." and do not understand what this means.
As I can analyze it?
Any tool?

You need to install Java Runtime Enviroment on your Virtual Machine. This RAT will not work without Java Runtime Enviroment.
sr. member
Activity: 322
Merit: 252
Here I Am !!
newbie
Activity: 55
Merit: 0
can i open it in a VM to see what happens?HuhHuh?

If you need to ask...

NO!

Really, when analysing malware, if you don't know exactly what you're doing and that you're doing it safely, don't do it at all!

Onkel Paul



I did not want to ask.
I wanted to run in a VM under ubuntu on a newly formatted laptop without personal data. I wanted to analyze it, do some network captures and putting infected files on my VM. But I read "this RAT actually checks if virtualbox is installed and running, and exits if it is. So it tries to evade analysis That Way." and do not understand what this means.
As I can analyze it?
Any tool?
legendary
Activity: 1039
Merit: 1005
can i open it in a VM to see what happens?HuhHuh?

If you need to ask...

NO!

Really, when analysing malware, if you don't know exactly what you're doing and that you're doing it safely, don't do it at all!

Onkel Paul

newbie
Activity: 55
Merit: 0
can i open it in a VM to see what happens?HuhHuh?
full member
Activity: 193
Merit: 100
Java disassembler doesn't help much, because this malware is obfuscated by Allatori (a java obfuscator).
Some interesting discussions are going on here:
http://forum.blockland.us/index.php?topic=261243.msg7644049#msg7644049
full member
Activity: 193
Merit: 100
I got an email titled "OKCoin Invoice" today with the same malware attached. It seems the malware is being widely spread.
full member
Activity: 164
Merit: 100
Tried on Windows 8.1

On Windows 8.1 The JAR file Run on single double-click without any warnings. No need to mark it as executable first. Anti Virus also doesn't show any warnings. I use Panda Internet Security 2014, latest update and no warning at all.

The malware installed itself on this Directory



Using Super Hidden Attribute, you can't see the file. Even you will not find FolrderName folder if you don't reveal it using attrib -s -h /s /d command. Turning on show hidden items doesn't reveal the malware.





The malware start itself up when infected user log in. You can view it on Task Manager under Start-up Tab, there is Java there.

Also the malware create a directory in C:\Users\<username>\.RsPJzZlzez

To manually remove, disable the start-up process and Delete that hidden folder (you have to use attrib -s -h /s /d command to reveal it)
full member
Activity: 164
Merit: 100
I have been away since my last (failed traiding > left bitcoins untouched till they were worth millions > decided they were safe in mtgox > lost em all)

Leaving that behind, i just got an email from "[email protected]" saying:

Quote
Dear User

Successful authorization.

0.758484 BTC Has been Send To another account

To show invoice , Download From Attach


Regards,


Administration of btcguild.com

Attached it has a file named "invoice_btc487744.jar

Since i no longer mine, and i have not been on that pool for ages, i knew i had no btc there.

Then again, a .jar CANOT bean invoice Tongue

May I have the JAR file? Probably the same malware as I have.

I also found a hidden folder RsPJzZlzez that contains three binary file. I open it using Hex Editor and found strings like wallet.dat, multibit.wallet. Even DogeCoin and many other alt coin are targeted.

____________
How to steal from web wallet? Phishing site

How to steal from desktop wallet? Trojan horse
newbie
Activity: 78
Merit: 0
I have been away since my last (failed traiding > left bitcoins untouched till they were worth millions > decided they were safe in mtgox > lost em all)

Leaving that behind, i just got an email from "[email protected]" saying:

Quote
Dear User

Successful authorization.

0.758484 BTC Has been Send To another account

To show invoice , Download From Attach


Regards,


Administration of btcguild.com

Attached it has a file named "invoice_btc487744.jar

Since i no longer mine, and i have not been on that pool for ages, i knew i had no btc there.

Then again, a .jar CANOT bean invoice Tongue
full member
Activity: 164
Merit: 100
I am n00b in programming. Could anyone who understand Java tell me what the malware does?
full member
Activity: 164
Merit: 100
On Windows XP it Run on Single double-click without any warning.

It install itself on C:\Document and Settings\<username>\Application Data\FolrderName with supper hidden attribute. And Automatically run on startup using System Configuration Utility (msconfig).
hero member
Activity: 630
Merit: 500
Wait - let me get this straight - you got an email with an executable attachment - and you ran it?

Um.

*walks away from computer*
No. He got an email with attachment. He saved the attachment and changed the saved .jar file permissions to 'executable'. Then he ran the file.
What more to say...
sr. member
Activity: 350
Merit: 250
Wait - let me get this straight - you got an email with an executable attachment - and you ran it?

Um.

*walks away from computer*
sr. member
Activity: 252
Merit: 250
Thank you for pointing out, it could be key-logger, most probably.

Kindly, use sandbox before playing with any suspicious file.
Pages:
Jump to: