BlockThreat - Week 42, 2019

This week we have observed an uptick in backdoored wallet and other software designed to steal users’ cryptocurrency assets. Other news include a fascinating deep dive into DOJ investigation into a child pornography ring, disappointing details into the Algo Capital hack, and lot’s of indicators for mining malware. Also don’t forget to subscribe to Bellingcat’s new CryptOsint Newsletter!

Crime

• Polish Police Arrest Head of Payment Processor Tied to Bitfinex Crypto Exchange - the latest news in the Crypto Capital saga with the president of the company now in custody.
• Chainalysis in Action: DOJ Announces Shutdown of Largest Child Pornography Website - details of the shutdown of the “Welcome to Video” child pornography website based in South Korea and using Bitcoin to track down its users.

Hacks

• Statement from Algo Capital on the recent security breach - additional details on the recent hack. It appears that attacker’s were able to gain access to CTO’s mobile phone which stored Trezor wallet seeds for Algo, USDT, and BTC funds.

Media

• Bellingcat CryptOsint Newsletter - a news round-up dedicated to covering open source intelligence on cryptocurrency topics.
• Unconfirmed - How Bitcoin Led to the Demise of the Largest Child Porn Site - an awesome episode with details on the IRS operation to shut down the largest child porn site and the use of tools like Chainalysis to assist in the investigation.

Malware

• Hiding Beneath the WAV - a report by Cylance describes a crypto miner campaign using steganography to hide XMRig miner and Metasploit payloads in WAV files. The loader is related to Waterbug/Turla campaign previously reported by Symantec.
• Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub - a new cryptomining worm which spreads using unsecured Docker daemons. The worm installs a malicious docker image which includes scripts to mine Monero.
  
  Indicators:
  120.27.32[.]15
  103.248.164[.]38
  101.161.223[.]254
  61.18.240[.]160
  182.16.102[.]97
  47.111.96[.]197
  106.53.85[.]204
  116.62.48[.]5
  114.67.68[.]52
  118.24.222[.]18
  106.13.127[.]6
  129.211.98[.]236
  101.37.245[.]200
  106.75.96[.]126
  47.107.191[.]137
• Fleecing the onion: Darknet shoppers swindled out of bitcoins via trojanized Tor Browser - a trojanized version of Tor Browser was used to spy on users and steal their bitcoins. The campaign targeted Russian speaking darknet market users.
  
  Indicators:
  
  URLs:torproect[.]org
  tor-browser[.]org
  onion4fh3ko2ncex[.]onion
  
  Bitcoin Addresses:
  3338V5E5DUetyfhTyCRPZLB5eASVdkEqQQ
  3CEtinamJCciqSEgSLNoPpywWjviihYqrw
  1FUPnTZNBmTJrSTvJFweJvUKxRVcaMG8oS
• In the Footsteps of a Sextortion Campaign - details of the Phorpiex malware spam campaign. The spam emails were unique by including victim’s leaked online passwords and demanding ransom in bitcoin for keeping webcam recordings private. The campaign may be related to another Save Yourself blackmail/cryptominer campaign reporter earlier.
  
  Indicators:
  
  Bitcoin Addresses
  1Eim8U3kPgkTRNSFKN49jgz9Wv4A1qmcjR
  1LwPAckT7ettEpLEuAU2dBXbqqSd9SrLAD
  1D1nXbBdPmCpy9rPRdtaXjA5ftGzYPPw51
  1LZStbAiQYiBGUTEH8mbTYu8pbvmrDprZQ
  1FLREuhB3U56yJBTTsj6zzEXjNf4BTzeZr
  1QBfCvZUuA3fbXX9bHeeTpqzkYgikvhtXR
  1F73edsje5GbjqybTgKAesWfihvp4Q59Eq
  13HffyTVP8qcYzd5tga4Bc6rCGETNbbZuD
  1MnUgqSkToq3j7ozwjSh54m1WxWZ3Xqym6
  12EMaHiZG75ztkjUjuPZhQDcyW89qRJVuR
  15WGVWt16CzuK3opvJHg6i1XSstbXGEPcZ
  1PC3q4JgAJvHcpsT2LqwoqVN2ckzAVQoxf
  1Nq84HeDmd2JGyRtjqh32QRG4zoSrp8bdL
  16JApT2K6Z9AirkMeBSWyhwuJ8dCfRhY9U
  1GTzcCBW79F3BtBdN9jx7hqNq65ebbt1Wm
  19naMJAmQq6b9XJaSaWpw2MTBBVeW355Ro
  1HB3KtKoguFuZ4BdmCv9Fc4tYTwDQgmqmW
  1PzrJSAhZSiYK93qLZnKsRzQzS49j5Ugzc
  1BpwthndBC2aDHiztoMtMBnq7ejmNkHnSV
  1CSDpCjyVHsuTb6i7zZ8dr81iUGL5ff7vM
  1Lmb3V8PbqTtGmFawu41k9hSXZgJn4G2pS
  1MX8BUf7R4rE7xLoaVMyiceX8DE8D3aFQg
  1KDnUbAHkxb57RYjJufdmjYF9F4vFWjm5m
  1BdMo6PKJCR9S6FzLDtE4ChszHdrJdbWJ7
  12ZyXPMJBAFCfpyYTYo8V6QcG653Lcs9oj
  154J36DXD2wA512cJRdAJsr1KcKynbVtpM
  15xdJ5nhwQCTFGs9AqciPGxgf62hGdWog7
  15w8KYwC76vDRiSZD2LK6dEbHvs7N38mh6
  1GLJa8dMq9XBaiMhXNJSQjVoNzh2xRanzD
  15dut9dbaZbSKZq27tyuLkjhCEiRaewvvh
  14VYd5JrPrrXD1qiMxZ5An2VsU5db5ZqS7
  1PTNbkmQckDTjbhCMtfa5zqY992ZNZ8biG
  17v35QnAre7Vd2T74SD9xhEGJVwYfTPDhN
  1HwJeZ5uyNJ6Peq8x1wixKVnurY1yURK8P
  1Mh8T6eVbP8zCRPzUqbb7b9PiW6Wv3mRPY
  1LfYcbCsssB2niF3VWRBTVZFExzsweyPGQ
  1PcZSbbc4u4juK64mpFSWwcR9hESPboRH8
  1AEb2hcPpxDs89AJojyySyiZdW4vdEumZN
  17jHsGecV53ro2LGzo53s5trTH6Qf3gksS
  18jZzWe4Wv4mUNm93rjeWJscqPdhecwsAY
  1CEi7Py9hNgMwqPMiCphFuF6SF263v7Yqj
  1AiBJcWZYQrz5Z9S9X7nYNueznU7iU5V5h
  1EwCEJr5JwpafZx11dcXDtX5QSPJvzth17
  1HctxwLwjEFCacTPi83me927UBs7aTJ7LF
  14AuMKdDV5s6xmGa13xw6F9hc1CwntkcfT
  14poC1Jg97vuvsyoKSZYz7h276LoAZcrtn
  1NpjBxiLhQQ5VVyDMrxESoA5HoHLLQXABa
  12KkDhdBX2zNv24D7SgBBrEBme7eNddvUj
  1JrdZLfH6j9KP2GjCJc7PhxwrrYKGYoSEi
  1Fjg3Q89MawTyfNcMbX6MUnfT923icRuMy
  1L9H1CtLsDCTtuvdE9hqpm9BD72jYBtvDF
  1PuxZLDEz2as13NKcTzC2BGadF2g2zhdfo
  1DZNohaDckSxJu6YxfeGkqCtxDAhtFP3Jq
  19razyqXme4evPi2wS9Zf8kor3VaYG8dTN
  1CWHmuF8dHt7HBGx5RKKLgg9QA2GmE3UyL
  1FqAEDNBFFjBZuVzk7V94tKgGwhVa8qABt
  1BXavFhbxCpno2dFpS4BU4NvEJjjqCN8Kd
  1164VJYmR8nP8z1NSPHqQreVWCMq2QdqUJ
• SAFU Wallet is Malicious, Binance Warns Community Members - a malicious chrome extension designed to steal cryptocurrency wallet private keys and passwords.
  
  Indicators:
  Attacker’s address: bnb168zhf9n3ve4mj35sgmtrvz54uyzc9r3e3xrder
• Backdoored ZecWallet - there is a malicious version of the ZCash wallet software floating around according to the PSA by the Electric Coin Company.

That’s all for this week in blockchain threat intelligence. Stay safe and see you all next week!