14 DAY TRIAL // A security researcher from Arbor Networks has analyzed an interesting malicious app that’s designed to steal Bitcoin-related information from infected machines.
Kenny MacDermid came across the app after receiving spam messages that advertised a site called bitcoin-alarm.net.
The website promotes an application called BitCoin Alarm. The program is allegedly designed to inform users via SMS of any changes in the Bitcoin market. However, a closer inspection has revealed that the app has a totally different agenda.
The program is served to users as a RAR archive file. The archive contains a number of files, including an executable called winupdate.exe, which is developed in the AutoIt scripting language.
At first sight, the application appears to be harmless. In reality, as soon as it’s executed, the malicious software starts looking for the presence of Avast antivirus software.
If Avast Antivirus is installed on the infected computer, the threat goes to sleep for 20 seconds, most likely in an effort to evade detection.
Other curious-looking methods contained in the file include “disable_uac,” “anti_hook,” “persistence,” “botkiller,” “downloader” and “disable_syste_restore.” These names hint that the bogus Bitcoin Alarm application is up to no good.
The main payload is a Remote Access Trojan called NetWiredRC. This RAT is designed to harvest login information from infected computers. In this case, the attacker is likely after information that can be used to steal Bitcoins.
Initially, the threat was identified only by Kaspersky solutions. However, when MacDermid published his post on the Arbor blog, 14 of the engines on VirusTotal detected the malware.
The expert has also reported the domain that the malware is communicating with, bitcoins.dd-dns.de, to several scanners to make sure it’s blacklisted.