BitRAT Propagates via NFT Lures

Diving into details

• Researchers couldn't determine the original source of the file, named NFT_Items.xlsm.
• Among the two workbooks of the file, one is written in Hebrew.
• This workbook includes legitimate Discord rooms related to NFTs, as well as names of NFTs and predictions for investment returns.
• The attack exploits Discord by hosting malicious files.
• FortiGuard Labs confirmed that the attack probably targeted NFT enthusiasts in Israel.

About BitRAT

• First spotted in August 2020, BitRAT leverages Hidden VNC (HVNC) that allows remote access to the infected machine.
• The malware got its HVNC code from TinyNuke.
• The HVNC communication will fail if the traffic header is not AVE_MARIA.
• BitRAT can evade UAC and Windows Defender. It can, furthermore, monitor the screen and webcam.
• Other capabilities include stealing credentials from apps and browsers, using Slowloris for DDoS functionality, Monero mining, keystroke logging, and uploading and downloading additional files.

Some other threats to crypto

• CoinStomp, a new malware, was targeting cloud services for cryptomining.
• Mars Stealer, a redesign of the Oski malware, was found pilfering information from cryptocurrency wallets and extensions and several famous web browsers.
• January saw the new BHUNT cryptostealer exfiltrating wallet content from Bitcoin, Ethereum, Exodus, Electrum, and Atomic.

The bottom line