The recent surge in Bitcoin interest rates and values is being exploited by malicious agents that are employing a fake ad for a trader bot that deals in the popular cryptocurrency to lure in potential victims, according to scientists. Despite its appearance, the ad sends an Orcus RAT (short for remote access trojan) that infiltrates user systems to illicitly extract Bitcoin from the infected device.
When this post was first published, the value of Bitcoin is currently just above $16k USD, breaking any previous record.
Trading bots that deal in the popular cryptocurrency have as a function the capacity to monitor variations in prices between different markets and platforms. If opportunities for Bitcoin gain appear for the clients, they automatically transact Bitcoins over the online portals as per the limits and restrictions imposed by the customer.
A team of Fortinet scientists discovered the fresh phishing initiative that makes use of Gunbot, otherwise a real app created by mobile developer GuntherLab.
The team of researchers reported the actual purpose of the bot, which is Orcus RAT delivery that steals Bitcoin capital. The email containing the fake promo comes with a .zip archive that, if unarchived using WinRar, contains a file named “sourcode.vbs” that runs a standard VB script. Upon doing so, a .jpg file is apparently downloaded into your system; in actuality, that is a PE binary file. According to Fortinet, the comments added to the code illustrates the hackers’ intent to openly exploit Gunbot without hiding their ultimate goal. Researchers speculate that this could be because the attackers might have purchased the script somewhere else and just ran it as such, or that they simply take no interest in being discovered as long as someone opens the file.
The researchers report that, in spite of its inoffensive appearance, the file is actually a TTJ-Inventory System transformed into a Trojan delivery system. Starting last year, the coders that developed Orcus have been marketing it as boasting the features that any similar RAT software would contain. Nonetheless, it boasts a capacity completely different from any other such software – permitting users to develop plugins that the RAT uploads automatically, also offering an entire directory of select plugins for users to select from. One of these ready-made plugins can launch a full-scale DDoS attack (short for distributed-denial-of-service, an attack that floods a website’s servers and blocks it through sheer number of requests).
The RAT, in line with other such available software, offers the possibility to extract all data inputted by the user through the keyboard to gain access to online credentials. The malware is also able to run VB.net and C# code ongoingly. Moreover, it can turn off your webcam’s indicating light to make sure that users aren’t tipped off to hacker presence; in case this happens, the RAT can also trigger a bluescreen, terminating all system operation instantly. Fortinet researchers explain that this feature makes it especially difficult for digital security experts to terminate the program.
Another insidious technique employed by the development team of the RAT is creating a fake version of popular forum bitcointalk.org that advertises the trojan as a Gunbot tool containing the same items that the phishing email version contains. The domain of the sketchy forum is registered to a company that has a longer track record of sketchy domains listed to its name, according to the researchers. Called “Cobainin Enterprises”, researchers speculate that cybercriminals jump from website to website registered to this company in the interphase of their hacks.
The researchers end their report by issuing a serious warning against any Orcus RAT programs, highlighting their incredible potential for harm.