Cybercriminals are trying to cash in on the “next big thing” in the turbulent cryptocurrency space in an attempt to take remote control of people’s computers and then steal their passwords and money. A recently detected campaign masquerades as cryptocurrency app safemoon and uses a fake update to lure discord users to a website that distributes a well-known remote access tool (rat).
safemoon is one of the latest altcoins to, well, aim for the moon. Since its inception six months ago, safemoon has been hugely popular (and appropriately volatile), with the craze fueled by influencers and numerous enthusiasts on social media. The rumor hasn’t escaped the attention of scammers, as scams targeting cryptocurrency users, including celebrity-mentioning fraud for added appeal, have been rampant for years.
Reading: Moon bitcoin hack
houston, we have a problem
The ruse that exploits the sudden popularity of safemoon begins with a message (figure 1) that the scammers have sent to various users on discord. Posing as the official safemoon account, the scammers are promoting a new version of the app.
If you were to click on the url in the message, you would be taken to a website (figure 2) that is apparently designed to look like the official safemoon site, its old version, to be exact. first reported by a reddit user in August 2021, the domain name also mimics its legitimate counterpart, except it adds an extra letter to the end in hopes that the difference will go unnoticed by most people in your hurry to get the required “update”. ”. at the time of writing this article, the malicious site is still up and running.
figure 2. the fake website (l) versus the legitimate one (r) from safemoon, August 2021 (source: web.archive.org)
All external links on the site are legitimate, except for possibly the most important one: the link that asks you to download the “official” safemoon app from the google play store. Instead of the safemoon app for android devices, it downloads a payload that includes quite common commercial windows software that can be used for both legitimate and nefarious purposes.
When run, the installer (safemoon-app-v2.0.6.exe) will drop several files onto the system, including a rat called remcos. While promoted as a legitimate tool, this rat is also being sold on underground forums, also earning it an official alert from US authorities shortly after the tool was released. if used for malicious purposes, a rat is often understood to represent a “remote access Trojan”.
Since then, remcos has been implemented in various campaigns, both by cybercrime groups and cyber espionage. in fact, just a few months ago, eset researchers detected remcos in what they called “spalax operation,” where threat actors targeted a large number of organizations in colombia.
as usual with rats, remcos gives the attacker a backdoor into the victim’s computer and is used to collect sensitive data from the victim. it is operated through a command and control (c&c) server whose ip address is injected into the downloaded files. remcos capabilities include stealing login credentials from various web browsers, keystroke logging, webcam hijacking, capturing audio from the victim’s microphone, downloading and executing additional malware on the machine… everything, actually.
a cursory look at the rat configuration file (figure 5) provides an idea of its extensive functionality.
put on your seatbelt
A few basic precautions will go a long way in keeping you safe from these scams:
- beware of any unexpected communication, whether via email, social media, text messages or other channels
- do not click on links in such messages, especially when they come from a unverified source
- be alert for url irregularities; it’s best to write them yourself
- use strong and unique passwords or passphrases and, where available, two-factor authentication (2fa)
- use comprehensive security software
When it comes to investing in cryptocurrencies, you should proceed with caution, and not just because the market is riddled with investment fraud, fake giveaways, and other scams. but surely you already know the exercise.
indicators of compromise (iocs)
eset products detect files subsequently downloaded as part of the remcos “package” as win32/rescoms.b.