Crypto Investors Beware: New Malware Steals From Cryptocurrency Wallets

Security researchers at Microsoft have forwarned cryptocurrency holders and investors of a new crypto-malware that steals data from interconnected wallets.

Dubbed Cryware, the latest threat in the crypto space can be used by malicious actors to steal cryptocurrencies through fraudulent transfers to their preferred wallets. The team described the malware as "information stealers" that amass and extract data from hot or non-custodial wallets.

This kind of crypto wallet provides users sole custody of the private keys, which are essential in controlling their money on the blockchain. Users will no longer be dependent on the blockchain but run the risk of losing their funds in the event they misplace the private key.

Owing to its nature, hot wallets become more attractive to hackers and other malicious actors. With Cryware, attackers who are able to gain access to a hot wallet can utilize it to move crypto assets to their own wallets. The theft from this operation is irreversible.

Blockchain transactions, unlike credit cards, have no mechanism to help reverse fraudulent crypto transactions or protect users from this kind of activity. "Cryware could cause severe financial impact because transactions can’t be changed once they’re added to the blockchain. As mentioned earlier, there also are currently no support systems that could help recover stolen cryptocurrency funds," Microsoft explained.

The team also revealed that for attackers to be able to find and identify sensitive wallet data, they "could use regexes, which are strings of characters and symbols that can be written to match certain text patterns." They also identified memory dumping as another technique used by malicious actors.

The technique, according to Microsoft, "takes advantage of the fact that some user interactions with their hot wallet could display the private keys in plaintext. This critical information might remain in the memory of a browser process performing these actions, thus compromising the wallet’s integrity." They noted, "such a scenario also allows an attacker to dump the browser process and obtain the private key."

Besides, hackers can also use "clipboard tampering and process dumping," which, according to the researchers, is "a simple but effective way to steal hot wallet data is to target the wallet application’s storage files. In this scenario, an attacker traverses the target user’s filesystem, determines which wallet apps are installed, and then exfiltrates a predefined list of wallet files."

Microsoft recommended that non-custodial wallet users should "lock hot wallets when not actively trading." It also enumerated several other steps that users should do to prevent falling prey to attackers using Cryware.

This includes disconnecting to the sites linked to the wallet, avoiding "storing private keys in plaintext," being attentive and cautious when "copying and pasting information," making sure that "browser sessions are terminated after every transaction" and choosing a hot wallet that uses multi-factor authentication (MFA).