Cybercriminals spoof Jaxx cryptocurrency wallet to steal wallet credentials and digital currency

• The campaign targeted Windows and MacOS X users.
• Researchers found that the attackers primarily used social engineering tricks to conduct the campaign.

The official Jaxx cryptocurrency wallet became cybercriminals’ latest victim after security researchers discovered a spoofed domain of the platform being used by threat actors to steal wallet credentials and cryptocurrency.

Flashpoint researchers discovered that the fake site had a URL similar to the original one. The legitimate Jaxx Liberty domain is located at jaxx.jo. Meanwhile the fake site set up by the hackers was discovered to be jaxx.ws.

Modus operandi

The campaign began on August 19 - the fake site was created and used to target both Windows and MacOS X users.

“The start date for this campaign figures to be Aug. 19 when the fraudulent domain was created. The attackers were targeting Windows and Mac OS X users with a variety of malware developed for the desktop platforms. Anyone who clicked on the mobile downloads was redirected to the legitimate Jaxx website” Flashpoint researchers in a blog post.

The malware was designed to be silently installed in the background when a user visited the fraudulent website. Visitors that clicked on the fraudulent links for the Mac OS X software were presented with a malicious Java Archive (JAR) file. This fake file contained a custom-written .NET application, which when downloaded, could exfiltrate all the data on a victim’s desktop, and send it to the C2 server.

In addition, the .NET application also downloaded the KPOT stealer and the Clipper. According to Flashpoint researchers, both of these are marketed on underground Russian cybercrime forums. While KPOT is used to steal information from hard drives, Clipper monitors system clipboard for wallet addresses.

"By changing these addresses in the clipboard, victims may not notice the modified recipient after copying and pasting these long alphanumeric addresses while sending payments," Flashpoint researchers said.

Social engineering still attackers' go-to trick

Researchers also found that the attackers primarily used social engineering tricks to conduct the campaign. However, it is still unknown as to how the attackers managed to poisoned search results to display their fake site. It is also still unclear as to whether the cybercriminals used email phishing techniques or whether they created any fake chat applications.

The attack campaign did not involve the exploitation of any vulnerabilities in the application, website or any other domain owned by Decentral - the Canadian blockchain startup, that provides Jaxx.

The Jaxx cryptocurrency wallet supports Bitcoin, Ethereum and over a dozen other cryptocurrencies. However, the firm is still uncertain about the amount of funds it may have lost due to the attack and the number of customers that were impacted.

Flashpoint notified the Jaxx support team and Cloudflare about the phishing campaign, following which the services to the fake website were suspended.

"This malware campaign indicates that cybercriminals may go to great lengths to socially engineer an organization's customers into installing malware to ultimately steal digital currency," Flashpoint said. "It's likely cybercriminals will continue to leverage commodity malware kits offered for sale in underground hacking forums to steal credentials and/or digital currency from victims. "