Hackers Launch Widespread Botnet Attack on Crypto Wallets Using Cheap Russian Malware

With millions of dollars of cryptocurrency stolen from crypto wallets every year, security researchers were surprised to find one active botnet being sold for about $160.

The bargain Trojan malware is called MasterMana Botnet, which uses mass mailing to send phishing emails with attachments containing malicious code to crypto investors. Once someone clicks on the email, the code will create backdoors on their computer to empty their wallets, according to a recent research conducted by Prevailion.

"Based on what we've observed, the MasterMana Botnet had a global impact on organizations across a wide variety of verticals," Danny Adamitis, intelligence director at Prevailion, told CoinDesk.

"We assess that the Botnet was interacting with approximately 2,000 machines a week, or 72,000 machines over the course of 2019, based on the snapshot we observed," Adamitis said.

The research saw references in the code that indicated the threat actors could have Trojanized a version for the major Microsoft file formats, including Word, Excel, PowerPoint and Publisher.

Based upon exhibited tactics, techniques, and procedures (TTPs), the researchers have associated it with the “Gorgon Group”, a notorious hacker collective active for numerous years that has been known for cybercrime and intelligence operations

“The cost for the threat actors to deploy and maintain the campaign was virtually nonexistent,” Prevailion said in the research report. The hackers would need to spend $60 on leasing a Virtual Private Server and $100 Trojan AZORult from Russia-based cyber-crime forums, Prevailion said.

The research suggested the cost for earlier attacks could have been cheaper as they used a similar Trojan called Revenge Rat which had been free through Sept. 15.

A higher-than-average success rate for such attacks depends on the version of the Trojan the hackers are using in the campaign.

“Based on the level of sophistication displayed in this campaign, we believe that the threat actors struck a sweet spot,” the report said.

In other words, the hackers stay under the radar by avoiding popular commodity malware such as Emotet, while using a slightly older Trojan that is still sophisticated enough to evade most security software detection.

According to the research, the campaign was still active as late as Sept. 24 and it suspects that this particular threat actor is likely to continue operations, as previous public reporting has not deterred them.

"We recommend that cryptocurrency investors need to remain particularly vigilant in protecting their personal computer. Having two factor authentication, such as a hardware token is recommended when that option is available," Adamitis said.