To the moon and hack: Pretend SafeMoon app drops malware to spy on you

To the moon and hack: Fake SafeMoon app drops malware to spy on you

Cryptocurrencies rise and fall, however one factor stays the identical – cybercriminals try and money in on the craze

Cybercriminals are attempting to capitalize on “the subsequent large factor” within the turbulent cryptocurrency house in an try and take distant management of individuals’s computer systems after which steal their passwords and cash. A marketing campaign noticed lately impersonates the SafeMoon cryptocurrency app and makes use of a pretend replace to lure Discord customers to an internet site that distributes a well known distant entry device (RAT).

SafeMoon is likely one of the newest altcoins to, properly, shoot for the moon. Ever since its inception six months in the past, SafeMoon has been extremely widespread (and duly risky), with the craze propelled by influencers and quite a few fans on social media. The thrill hasn’t escaped the discover of scammers, as swindles focusing on cryptocurrency customers – together with fraud that namedrops celebrities to provide it some further attract – have been working rampant for years.

Houston, we now have an issue

The ruse exploiting SafeMoon’s sudden reputation begins with a message (Determine 1) that scammers have despatched to quite a few customers on Discord, the place they pose because the official SafeMoon account on the positioning to advertise a brand new model of the app.

Determine 1. The message impersonating SafeMoon

If you happen to had been to click on on the URL within the message, you’ll land on an internet site (Determine 2) that’s apparently designed to look the a part of SafeMoon’s official web site – its previous model, to be precise. First reported by a Reddit person in August 2021, the area identify additionally mimics its reliable counterpart, besides that it provides an additional letter on the finish within the hopes that the distinction will go unnoticed by most individuals of their haste to acquire the required “replace”. As of the time of writing, the malicious web site continues to be up and working.

Determine 2. The pretend (L) versus the reliable (R) SafeMoon web site, August 2021 (supply:

Determine 3. The official SafeMoon web site, early October 2021

All exterior hyperlinks on the positioning are reliable, aside from the arguably most essential one – the hyperlink that prompts you to obtain the “official” SafeMoon app from the Google Play Retailer. As an alternative of the SafeMoon app for Android gadgets, it downloads a payload that features reasonably widespread, off-the-shelf Home windows software program that can be utilized each for reliable and nefarious ends.

Determine 4. The event part of the obfuscated malicious app

Upon execution, the installer (Safemoon-App-v2.0.6.exe) will drop a number of information on the system, together with a RAT referred to as Remcos. Whereas touted as a reliable device, this RAT can be being peddled on the market in underground boards, which additionally earned it an official alert from US authorities shortly after the device was launched. If used for evil ends, a RAT is commonly understood to face for a “distant entry trojan” as a substitute.

Remcos has since been deployed in quite a few campaigns, each by cybercrime and cyberespionage teams. Certainly, only a few months in the past ESET researchers noticed Remcos in what they nicknamed “Operation Spalax”, the place risk actors took intention at a slew of organizations in Colombia.

As is customary with RATs, Remcos provides the attacker a backdoor into the sufferer’s pc and is used to assemble delicate knowledge from the sufferer. It’s operated by way of a command and management (C&C) server whose IP handle is injected into the downloaded information. Remcos’s capabilities embrace theft of login credentials from varied internet browsers, logging keystrokes, hijacking the webcam, capturing audio from the sufferer’s microphone, downloading and executing further malware on the machine … the entire 9 yards, actually.

A cursory have a look at the RAT’s configuration file (Determine 5) offers an thought of its intensive performance.

Determine 5. A part of the Remcos configuration file binary displaying a few of what the RAT is after

Strap your self in

Just a few primary precautions will go a good distance in the direction of staying protected from these scams:

  • Be cautious of any out-of-the-blue communications, be it by way of e mail, social media, texts or different channels
  • Don’t click on on hyperlinks in such messages, particularly after they come from an unverified supply
  • Be alert to irregularities in URLs – you’re higher off typing it in your self
  • Use sturdy and distinctive passwords or passphrases and, wherever out there, two-factor authentication (2FA)
  • Use complete safety software program

On the subject of investing in cryptocurrencies, it’s good to proceed with warning, and never simply because the market is rife with funding fraud, pretend giveaways and different scams. However certainly you understand the drill by now.

Indicators of Compromise (IoCs)

SHA-256 hash ESET detection identify
035041983ADCFB47BBA63E81D2B98FA928FB7E022F51ED4A897366542D784E5B A Variant of MSIL/Injector.VQB

The information downloaded later as a part of the Remcos “package deal” are detected by ESET merchandise as Win32/Rescoms.B.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts