Malicious software masquerading as a Python-based trading bot has reportedly targeted cryptocurrency traders in a multifaceted supply chain attack. As attackers refine their methods, incidents are escalating alongside a recovery in cryptocurrency market volumes.
Attack Methods
According to a recent blog post by cloud-based cybersecurity firm Checkmarx, cryptocurrency traders have been targeted by an advanced virus disguised as AI-based crypto trading software. This malware aims to steal sensitive data and drain crypto wallets.
Checkmarx noted that the malware was distributed via GitHub and PyPi (Python Package Index). PyPi is a centralized platform for Python packages, and the malware targeted both Windows and Mac operating systems.
Technical Details of the Attack
The malware employs misleading graphical user interfaces (GUIs) to confuse victims and follows a multi-stage virus infection process that directs users to a fake website. Attackers prepare elaborate narratives and processes to access investors’ information through the application that pretends to be a trading bot. Checkmarx stated, “The CryptoAITools malware uses a fake website to lure victims into the trap of secondary malware, employing a sophisticated multi-stage infection process.”
“The CryptoAITools malware includes a graphical user interface (GUI) as a key component of its social engineering strategy. When the second-stage malware is activated, it introduces itself as the ‘AI Bot Starter’ application. This staged approach confuses users and collects sensitive information without directly deploying the virus.” – Checkmarx
The attacker also created a Telegram channel posing as technical support for the product, aiming to build trust by enticing users with free trial offers.
“In the Telegram chat, the attacker uses various tactics to lure potential victims. By offering ‘bot support,’ they establish credibility and reputation. They promote the GitHub code repository as the ‘strongest bot’ to appeal to those seeking advanced trading tools.” – Checkmarx
Checkmarx warned that the malware could have “significant” consequences for victims, potentially leading to identity theft, browser data theft, sensitive computer file access, and theft of crypto assets. As a result, these new tactics threaten the security of cryptocurrency traders, highlighting the necessity for caution. Users should avoid downloading software from unreliable sources and steer clear of suspicious links. Additionally, using updated antivirus programs and implementing extra security measures like two-factor authentication could be beneficial.
