To the moon and hack: Pretend SafeMoon app drops malware to spy on you

To the moon and hack: Fake SafeMoon app drops malware to spy on you

Cryptocurrencies rise and fall, however one factor stays the identical – cybercriminals try and money in on the craze

Cybercriminals are attempting to capitalize on “the subsequent large factor” within the turbulent cryptocurrency house in an try and take distant management of individuals’s computer systems after which steal their passwords and cash. A marketing campaign noticed lately impersonates the SafeMoon cryptocurrency app and makes use of a pretend replace to lure Discord customers to an internet site that distributes a well known distant entry instrument (RAT).

SafeMoon is among the newest altcoins to, properly, shoot for the moon. Ever since its inception six months in the past, SafeMoon has been extremely common (and duly unstable), with the craze propelled by influencers and quite a few lovers on social media. The thrill hasn’t escaped the discover of scammers, as swindles focusing on cryptocurrency customers – together with fraud that namedrops celebrities to provide it some additional attract – have been operating rampant for years.

Houston, we have now an issue

The ruse exploiting SafeMoon’s sudden reputation begins with a message (Determine 1) that scammers have despatched to quite a lot of customers on Discord, the place they pose because the official SafeMoon account on the positioning to advertise a brand new model of the app.

Determine 1. The message impersonating SafeMoon

In case you have been to click on on the URL within the message, you’d land on an internet site (Determine 2) that’s apparently designed to look the a part of SafeMoon’s official website – its outdated model, to be precise. First reported by a Reddit consumer in August 2021, the area title additionally mimics its reliable counterpart, besides that it provides an additional letter on the finish within the hopes that the distinction will go unnoticed by most individuals of their haste to acquire the required “replace”. As of the time of writing, the malicious website remains to be up and operating.

Determine 2. The pretend (L) versus the reliable (R) SafeMoon web site, August 2021 (supply:

Determine 3. The official SafeMoon web site, early October 2021

All exterior hyperlinks on the positioning are reliable, aside from the arguably most vital one – the hyperlink that prompts you to obtain the “official” SafeMoon app from the Google Play Retailer. As a substitute of the SafeMoon app for Android gadgets, it downloads a payload that features quite widespread, off-the-shelf Home windows software program that can be utilized each for reliable and nefarious ends.

Determine 4. The event part of the obfuscated malicious app

Upon execution, the installer (Safemoon-App-v2.0.6.exe) will drop a number of recordsdata on the system, together with a RAT referred to as Remcos. Whereas touted as a reliable instrument, this RAT can be being peddled on the market in underground boards, which additionally earned it an official alert from US authorities shortly after the instrument was launched. If used for evil ends, a RAT is commonly understood to face for a “distant entry trojan” as a substitute.

Remcos has since been deployed in quite a lot of campaigns, each by cybercrime and cyberespionage teams. Certainly, just some months in the past ESET researchers noticed Remcos in what they nicknamed “Operation Spalax”, the place menace actors took goal at a slew of organizations in Colombia.

As is customary with RATs, Remcos provides the attacker a backdoor into the sufferer’s laptop and is used to collect delicate knowledge from the sufferer. It’s operated through a command and management (C&C) server whose IP handle is injected into the downloaded recordsdata. Remcos’s capabilities embody theft of login credentials from numerous internet browsers, logging keystrokes, hijacking the webcam, capturing audio from the sufferer’s microphone, downloading and executing extra malware on the machine … the entire 9 yards, actually.

A cursory have a look at the RAT’s configuration file (Determine 5) supplies an concept of its intensive performance.

Determine 5. A part of the Remcos configuration file binary exhibiting a few of what the RAT is after

Strap your self in

A number of primary precautions will go a good distance in direction of staying protected from these scams:

  • Be cautious of any out-of-the-blue communications, be it through electronic mail, social media, texts or different channels
  • Don’t click on on hyperlinks in such messages, particularly once they come from an unverified supply
  • Be alert to irregularities in URLs – you’re higher off typing it in your self
  • Use sturdy and distinctive passwords or passphrases and, wherever accessible, two-factor authentication (2FA)
  • Use complete safety software program

Relating to investing in cryptocurrencies, you might want to proceed with warning, and never simply because the market is rife with funding fraud, pretend giveaways and different scams. However certainly you understand the drill by now.

Indicators of Compromise (IoCs)

SHA-256 hash ESET detection title
035041983ADCFB47BBA63E81D2B98FA928FB7E022F51ED4A897366542D784E5B A Variant of MSIL/Injector.VQB

The recordsdata downloaded later as a part of the Remcos “package deal” are detected by ESET merchandise as Win32/Rescoms.B.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts