On Monday, 14 March 2022 a friend contacted me. He had sent 0.255 bitcoin from a wallet on the Kraken exchange to VALR. Working on his laptop computer, he had both exchange websites open in his web browser and pasted the receiving address into the VALR website.
After 4 hours, when his bitcoin did not show up, he started getting worried. He contacted the VALR support team and logged a support ticket. The wallet he had sent the funds to is 3LH2UDkVdtb5hrmzzXd3mn7F2DMiBDknRQ. To his surprise the support team informed him that the wallet in question does not belong to their exchange at all. He had been duped! But how was this possible?
After chatting about the problem for a while and trying to retrace his steps, he found that every time he copied a wallet address, it would change almost instantly after pasting the data. We were onto something. After speaking to another information security (infosec) specialist, we reached a consensus that this must indeed be some form of malware running on his computer. According to Cisco, Malware is short for “malicious software,” and refers to any intrusive software developed by cybercriminals (often called “hackers”) that steals data and tries to damage or destroy computers and computer systems.
VALR’s customer support confirmed this – “As your PC has been compromised with Malware, it is prudent to do a security check across all your important accounts, such as your primary email address, banking, socials and cryptocurrency exchanges. The most we can do is blacklist the address and hope the funds get frozen if the hacker sends the BTC to a legitimate exchange.”
The malware is sophisticated in that every time a link is pasted, it generates a new wallet address.
One of the best qualities of bitcoin is that transactions cannot be reversed or charged back like with credit cards. With this power comes greater responsibility and the security burden is on the user. This responsibility cannot be outsourced or neglected.
Another great quality of bitcoin is the public ledger. If and when the funds move in future we’ll be able to track it. In this sense, the blockchain is very transparent, evn more than the traditional financial system.
The scary part is that this could have happened to anyone. My friend is not a beginner user and has traded with bitcoin since 2018.
Panic stations
The remedy the problem the user ran a malware scan on his laptop using Malwarebytes, an anti-malware software.
The logs included the following suspicious content:
-System Information- OS: Windows 10 (Build 19043.1586) CPU: x64 File System: NTFS User: LAPTOP-XXXXXXXX\user Threats Detected: 31 Registry Key: 6 Malware.Heuristic.1003, ... Folder: 8 PUP.Optional.Delta, ... PUP.Optional.ASK, ... PUP.Optional.Delta, ... PUP.Optional.ASK, ... PUP.Optional.WinYahoo, ... PUP.Optional.Delta, ... PUP.Optional.Babylon, ... PUP.Optional.ASK, ... File: 17 PUP.Optional.Delta, ... Malware.Heuristic.1003, C:\PROGRAM FILES (X86)\ELICENSER\POS\SYNSOPOS.EXE, ... PUP.Optional.ASK, ... PUP.Optional.WinYahoo, ... PUP.Optional.Babylon, ...
According to Malwarebytes, PUPs are potentially unwanted programs. Detections categorized as PUP.optional are not considered as malicious as other forms of malware, and may even be regarded by some as useful.
The infosec specialist advised that the user would have to backup all their data as the operating system had been compromised and the malware would most likely still operate after trying a quick fix. Turns out he was right – after removing all the malware on the list, the malware persisted and was still hijacking pasted wallet addresses. When you reinstall Windows, it will erase the system files but retain your home directory, leaving that data in tact. It appeared the malware buried itself in the home directory to keep it persistent. One of the goals of threat actors is to write code that is persistent and by that we mean their code will run after the system reboots or the operating system re-installs. This way the threat actor can be more efficient and effective with what they want to achieve.
The user wiped their entire drive and did a clean install of the operating system. Only after this could they user their computer safely again.
A new malware scan after the thorough cleanup revealed the following:
Threats Detected: 24 Registry Key: 0 (No malicious items detected) Folder: 8 PUP.Optional.Delta, ... PUP.Optional.Babylon, ... PUP.Optional.ASK, ... PUP.Optional.WinYahoo, .... File: 16 PUP.Optional.Delta, ... PUP.Optional.Babylon, ... PUP.Optional.ASK, ... PUP.Optional.WinYahoo
The only distinct difference between the scans was the Malware.Heuristic.1003 registry entries and the modified .exe file:
Malware.Heuristic.1003, C:\PROGRAM FILES (X86)\ELICENSER\POS\SYNSOPOS.EXE
Malwarebytes detects unknown threats as Malware.Heuristic. A quick Google search revealed that Synsopos application is a Syncrosoft’s License Control for Steinberg Cubase, a digital audio workstation (DAW) for music recording. The user had installed a modified or unlocked copy of the software a year prior from the internet. The filename of the software is Steinberg Cubase Pro 10.5.0 TEAM-DC RC3 10.5.0 [WiN x64].
The most likely attack vector was this piece of software. It’s is impossible to tell if the malware shipped with the installer or was later downloaded without forensic analysis of the hard drive and software package.
This type of attack is not new. Back in 2018, TechCrunch reported on malware that hijacks your Windows clipboard to change crypto addresses.
Advice
Here is some handy advice on how to avoid this happening to you:
- When pasting Always check the first 4 – 6 characters and the last 4 – 6 to ensure that they match. Even better, check everything. Trust no one. Always verify everything.
- There is also an open-source tool called Echohash, which makes wallet addresses human readable. This is an easy way to compare wallet addresses and minimise risk.
- Using a hardware wallet also allows confirmation of the output address on its own display and minimizes the risk of having to copy and paste addresses.
- Always send a small test transaction when sending crypto to a new wallet for the first time (whether it belongs to you or someone else)
When I posed this question to the infosec expert, he had this to share:
Keep an eye on PDF’s, office docs and of course any pirated software that could haven some other code inside of it. Always make sure you are using the latest version of your preferred web browser. As a precaution I always use OpenDNS servers which will sometimes stop malware or malicious websites. Their IP’s are: 208.67.222.222 and 208.67.220.220. Of course make sure Windows Defender is always on, updated and if you value your crypto I recommend an aftermarket anti-malware solution. Symantec’s offerings have impressed me in the past but you can always shop around. Always make sure all your software is updated and patched to the current date.
Update:
CoinTelegraph ran a nice article on this whole story. https://cointelegraph.com/news/bitcoin-stealing-malware-bitter-reminder-for-crypto-users-to-stay-vigilant
