Anubis Malware Attacking Crypto Wallets

Anubis Malware Attacking Crypto Wallets

Published: September 4th, 2020

A new malware named Anubis is wreaking havoc across the crypto world. First circulated for sale in June on darknet cybercrime marketplaces, it used forked code first seen in the Loki malware to steal cryptocurrency wallet IDs, credit card numbers, and personal data.

Cyber experts have also been quick to point out that this crypto-focused Anubis isn't the same as the Android banking malware of the same name.

After being downloaded, it gathers and sends stolen user information to a command and control server. Analysis by Microsoft shows that Anubis has been able to capture data including usernames and passwords, cryptocurrency wallet IDs and credit card info.

How to avoid Anubis

Anubis is the latest entry on a growing list of malwares that look for cryptocurrency accounts that may be vulnerable to breach.

While Microsoft is conducting analysis, the information available to security experts about the Windows version of Anubis has so far been limited.

Analysts say the original Loki that Anubis is based on spread through phishing emails that came with .iso attachments. They were made to look like online order confirmations and sent to publicly available business email addresses. When the code attaches itself to a PC, it can capture user keystrokes and isolate the login and financial information within.

Anyone wanting to steer clear of Anubis should avoid opening any attachments or unexpected emails. Anything that arrives in your inbox that that seems unfamiliar should be treated as potentially threatening and containing bad links or code.

If you don’t have an anti-virus installed, its time to add one, they say – and make sure virus definitions and patches are up-to-date. Crypto users should be particularly careful and access any bank accounts or wallets using secure or privacy-assured browsers.

As with many emerging cyber threats, Anubis does what it can to stay in the shadows. If you suspect you might be infected, search for suspicious files and watch for unexpected system processes using a larger than normal percentage of processing power.

Microsoft said in an announcement it had updated its Defender anti-virus software to detect Anubis malware. Redmond is also monitoring for indications that the malware is spreading.

Mac and Linux users should take particular care to avoid visiting websites they’re unsure of or emails with odd attachments or links. The latest version of Microsoft’s Edge browser also provides added protection against crypto miners.

Cyber pros look for tell-tale signs of compromise when analysing any system, which includes unexpected volumes of outbound network traffic from a device, or other non-standard activity on a user account.

Malware that targets crypto users

While malware is nothing new and major breaches appear in the news almost every week, cryptocurrency users are increasingly finding themselves in cybercrime’s crosshairs.

Bitfinex says its seen an uptick in the number of malware forms trying to breach user devices. The aim of the malware is usually passwords and personal info, but increasingly they’re looking for evidence of cryptocurrencies on systems.

Crypto users tend to be pretty tech-savvy and often use difficult-to-hack hardware wallets to store their seed info. A novice user, however, might keep seed info stored on their computer hard drive, where its more vulnerable to malware. If the machine’s browser has a password manager, the malware will try and access it and steal the information.

Another mode of attack is to look on PCs for a blockchain node with an unprotected wallet file. By using a keystroke logger, the malware may be able to capture the password that protects the wallet and access whatever is inside.

As crypto moves closer to mass adoption, poor end-user security practices threaten to make consumer crypto wallets even easier to crack then bank accounts and credit cards. The recent surge in interest in bitcoin and ether could see a rise in new ‘soft targets’ who are more susceptible to malware attacks.

New vulnerabilities from the pandemic

As more people make the shift to working remotely in the aftermath of the coronavirus pandemic, the additional time spent online and the growing number of digital systems in daily use is likely creating more opportunity for cybercriminals.

A recent report from Malwarebytes shows a jump in breaches by malware that targets remote desktop access since the pandemic began. One bot called AveMaria grew its infection footprint by 1,219% between January and April over the previous year.

Some cybersecurity experts say that coronavirus has likely changed the attack vectors for malware forever, meaning the previous models for identifying and defending against attacks will be less effective.

Most malware infects user devices using phishing emails with malicious URLs in the body. As bad as Anubis is, it infects systems through email attachments, which are easier to see and monitor for malware. Simple phishing emails that rely on bad URLs outnumber those with dodgy attachments by a factor of five to one, according to Malwarebytes.

Meanwhile, the threat intelligence systems run by the worlds cybersecurity firms to track threats and potential threats often contain the same information. Some license their data to other security vendors, meaning everyone is relying on some extent on the same recycled information, rather than working to identify new and merging threats.

A cyber-criminal creating targeted spear-phishing emails and unique URLs to attack a specific company is unlikely to be picked up by these systems before the damage is done.

Industry estimates suggest phishing attacks have an average lifespan of about seven minutes, as cybercriminals are using AI and automation to generate new attacks on a rolling basis. Cybersecurity companies typically need three days to identify new attacks, and longer to understand their potential for damage.

In the wake of Anubis and the raft of new crypto-focused malware that's sure to follow, crypto users are advised to adopt measures like two-factor authentication (2FA and strong passwords to protect their wallets

Show Results