Cryptocurrency investors, beware! Two malicious files — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the Internet with the purpose of stealing cryptocurrencies from unwary investors.
Anti-malware software Malwarebytes noted that since December last year, two new malicious computer programs were actively being propagated by unknown sources. It further said that these programs have been targeting crypto investors in a desktop environment.
The threat intelligence research team, Cisco Talos, further reveals that the campaign’s victims are mostly located in the United States, with a smaller percentage of victims found in the United Kingdom, Turkey, and the Philippines, as can be seen in the image below:
The malicious software works in tandem to swoop information stored in the user’s clipboard, which is usually a string of letters and numbers copied by the user. The infection then detects wallet addresses copied onto the clipboard and replaces them with a different address.
The attack relies on the user’s inattentiveness to the sender’s wallet address, which would send the cryptocurrencies to the unidentified attacker. With no obvious target, the attack spans individuals as well as small and large organizations.
Once infected, the MortalKombat ransomware encrypts the user’s files and drops a ransom note with payment instructions, as can be seen below:
After revealing the download links (URLs) associated with the attack campaign, the Talos report also said: “One of them reaches an attacker-controlled server via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware.”
According to Talos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the Internet for exposed RDP port 3389.
Malwarebytes explains that the ‘tag-team campaign’ usually starts with a cryptocurrency-themed email containing a malicious attachment. The attachment runs a BAT file that helps download and execute the ransomware when opened.
On the flip side, as ransomware victims continue to refuse extortion demands, ransomware revenues for attackers plummeted 40% to US$456.8 million in 2022.
While revealing this information, Chainalysis said that the figures don’t necessarily mean that the number of attacks has gone down from the previous year.
Today, thanks to the early detection of malicious software with high potential, cryptocurrency investors can now proactively prevent this attack from impacting their financial well-being.
Cisco Talos advises investors to perform extensive due diligence before investing while also ensuring the official source of communications.