How to protect yourself from Cryware: Microsoft warned crypto investors about new malware

The Microsoft 365 security team has reported an increase in the activity of a new type of malware and methods called Cryware that allow you to steal assets from hot crypto wallets.

With the help of Cryware, it says in report research group, the attackers search for crypto-currency software on the attacked devices, and also collect and extract critical data to access the future victim’s hot crypto-currency wallets.

To search for hot wallet data such as private keys, passphrases and addresses, attackers can use patterns that include typical expressions, words, or a set of characters, given that they usually match a certain pattern.

In 2021 a Reddit user published a message that he lost $78,000 worth of ether due to the fact that he kept the original phrase of his wallet in an insecure place. An attacker gained access to the target’s device and installed a Cryware program that detected confidential data.

Having gained access to hot wallet data, attackers are able to use it to quickly transfer cryptocurrency to their own wallets. Unfortunately for the former owners of these assets, such theft is irreversible: transactions on the blockchain are final, even if they were made without the consent or knowledge of the user. In addition, unlike most other financial transactions, there are currently no available mechanisms that could help cancel fraudulent cryptocurrency transfers or protect users from them.

Possible Cryware attack scenarios:

Clipping and switching

The Cryware program monitors the contents of the user’s clipboard and uses string search patterns to find and identify a string resembling a hot cryptocurrency wallet address. If the user pastes or uses CTRL + V in the application window, then Cryware replaces the object on the clipboard with the attacker’s address.

Extracting data from a memory dump

Attackers examine a memory dump, which in some cases can display private keys in clear text. Critical information can remain in the memory of the browser process that performs these actions, and the script allows an attacker to unload the browser process and obtain the private key.

Theft of wallet files

The easiest, but no less effective way to steal hot wallet data is to attack the application’s storage files. In this scenario, the attacker browses the target user’s file system, determines which wallet applications are installed, and then extracts a predefined list of files for hacking.

· Browser web wallet files.

Since some hot wallets are installed as browser extensions using unique identifiers and extensions, it is quite easy for an attacker to locate the web wallet storage where the user’s encrypted private key is stored.

· Desktop wallet files.

Some hot wallets are installed directly on the user’s computer device. However, private keys, just like in the browser version, are stored locally in application storage files specific to each wallet.

· Wallet passwords.

It has been noticed that some users do not bother to remember passwords and store them, passphrases and private keys not only in password management applications, but even in the form of browser autofill data. Attackers can simply log into an infected device to find locally installed password managers. Or exfiltrate browser data that could potentially contain saved passwords.

Keylogging

Another popular and widely used technique for stealing information is keylogging. Like other malware that uses this method, the keylogging program usually runs in the background and logs keystrokes entered by the user. It then sends the collected data to a C2 server controlled by the attackers.

Preventive measures against Cryware

Microsoft security experts suggest that owners of cryptocurrency assets take the following steps to protect confidential information from the effects of criminal software Сryware:

• Block the active operation of crypto wallets when you are not conducting financial transactions.
• Disconnect sites connected to the crypto wallet during downtime. The hot wallet disable feature ensures that a website or app does not interact with a user’s wallet without their knowledge.
• Refrain from storing private keys. Never store seed phrases on your device or in the cloud in clear text.
• Be careful when copying and pasting information. When copying the wallet address for a transaction, double-check whether the address value really matches the one specified in the wallet.
• Make sure browser sessions are ended after each transaction so that the private key is not left in the memory of the browser process. It is also necessary to properly close or restart browser processes after importing the keys.
• Consider using cryptocurrency wallets that implement multi-factor authentication (MFA). This will prevent attackers from entering wallet applications without the correct level of authentication.
• Be aware of the possibility of a phishing attack, so be careful with links to wallet websites and applications.
• Double-check the transactions and approvals of the hot crypto wallet several times. Verify that the contract requiring approval has actually been initiated.
• Under no circumstances share private keys or seed phrases with third parties.
• Use a hardware wallet if it doesn’t require an active connection to the device. Hardware wallets store private keys offline.
• Check the extensions of downloaded and saved files. To do this, Windows needs to enable “File Name Extensions” in File Explorer’s “View” section to see the actual file extensions on the device.

Earlier, digital security researcher 3xp0rt published an article on his blog about how the Mars Stealer Trojan virus attacks browser-based crypto wallets. In March, Russian law enforcement agencies reported the arrest of suspects in the development of a computer virus to steal assets from crypto wallets. The attackers sent future victims a link to a special program that compromised data and passwords from crypto wallets.