loader gif

Scammer targets cryptocurrency wallets using multiple backdoors to lure coin holders

Scammer targets cryptocurrency wallets using multiple backdoors to lure coin holders
  • The scammer was using multiple backdoors to steal Dogecoins.
  • Over 10,000 users have been defrauded by the scammer.

A cybercriminal has been targeting cryptocurrency users using a wide range of malware and various other malicious methods to steal cryptocurrencies. The scammer was found luring victims by offering them a chance to earn digital coins. However, the lure involved tricking victims into installing data-stealing malware variants and backdoors that gave the scammer access to the victim’s sensitive data.

The hacker was found using several aliases, such as Investimer, Hyipblock or Mmpower and was focused on stealing Dogecoins.

According to the Russian security company Dr.Web, the scammer was found using “a wide range of commercial Trojans” that are available on underground online forums.

Motive - Illegal income

The different types Investimer scams posted on the internet include posing as a legitimate cryptocurrency exchange service, running fake online lotteries, renting nonexistent cryptocurrency mining pools or promising digital coins in exchange for surfing the internet.

However, experts suggest that the scammer’s ultimate aim was generating a steady stream of illegal income. Researchers believe that around 10,000 users have likely already been defrauded by Investimer in various attacks.

Malware and backdoor used

The hacker was found using DarkVNC - “a TeamViewer - based Spy-Agent backdoor” - alongside Hidden Virtual Network Connection (HVNC) backdoors that access infected computers via a VNC protocol. This, in turn, allowed the hacker to gain access to victims’ computers.

Dr.Web analysts also noted that the hacker used backdoors based on “Remote Manipulator System / Remote Utilities (RMS)” to gain remote control of an infected system.

The SmokeLoader trojan was also widely applied in various instance by the hacker. The malware is “a small application used to download other malware. It is often distributed via spam campaigns and exploit kits. The trojan also evades detection by changing the timestamp of its executable to prevent the malware from being located by searching recently modified files,” the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), said in a previous report.

Another malware loader, developed by Danji and a Trojan miner that has “inbuilt” clipper feature for modifying victims clipboard content was also used by Investimer during attacks.

The command and control servers of the cybercriminals scams are hosted on websites including jino.ru, hostlife.net, and macrosnet.ru, Dr.Web said.

Simple phishing baits

The scammer also leverages simple phishing methods to trick users. One such example involves Investimer creating a website that offers a reward for bringing new users to an Ethereum payment system. In reality, the malicious site captures the information users enter in during the registration process.

“Our experts estimate the damage to the victims is at over $23,000, in addition to more than 182,000 Dogecoins, which equals about $900 at the current rate,” Dr.Web researchers said in a report. “The online scammer, nicknamed Investimer, Hyipblock, or Mmpower, uses a wide range of commercial Trojans that are currently prevalent in the underground market, including the stealers Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, and Pony.”
loader gif