A brand new stealer dubbed PennyWise by its builders has appeared just lately, uncovered by Cyble Analysis Labs. The researchers noticed a number of samples of the malware within the wild, making it an energetic risk. The risk focuses on stealing delicate browser knowledge and cryptocurrency wallets, and it comes because the Pentagon has raised issues in regards to the blockchain.

An uncommon manner of spreading: YouTube

The malware pretends to be a free Bitcoin mining software, which advertises and could be downloaded by way of a Youtube video (Determine A).

Determine A

Whereas this display screen seize exhibits a really restricted variety of guests, Cyble has noticed over 80 movies on YouTube for mass an infection, all saved on the risk actor’s YouTube channel.

Because the customers watch the video, they’re enticed to obtain a password-protected archive file, which comprises the marketed Bitcoin mining software program, however which is in actual fact the PennyWise malware.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

The usage of a password-protected archive is a recognized social engineering technique for imposing belief, as customers are usually much less suspicious when content material is password-protected.

In an extra try to seem extra reliable, the risk actor provides a hyperlink to VirusTotal which exhibits antivirus outcomes for a clear file that’s not the malware. The risk actor additionally mentions the person may want to show off his antivirus if he’s not allowed to obtain the file however that it’s fully secure (Determine B).

Determine B

The archive file comprises an installer for PennyWise, which executes it earlier than the malware begins speaking with its command and management server.

PennyWise malware traits

The malware is obfuscated with an unknown crypter instrument and makes use of multithreading to be extra environment friendly in stealing knowledge.

As soon as operating, the malware obtains the trail for a number of completely different browsers it targets:

• Greater than 30 Chrome-based browsers
• Greater than 5 Mozilla-based browsers
• Opera
• Microsoft Edge

The malware then grabs the username, the machine title, the system language and timezone from the victims working system. The timezone is transformed to Russian Customary Time.

One other geographical attribute comes when the malware tries to establish the sufferer’s nation. It fully stops all operations if the nation is without doubt one of the following:

• Russia
• Ukraine
• Belarus
• Kazakhstan

This might be a sign that the risk actor may wish to keep away from legislation enforcement companies in these specific international locations.

As well as, the malware grabs the graphic driver and processor title and saves all the pieces in a hidden folder within the AppDataLocal listing.

As soon as that is executed, the malware makes an attempt to find out wherein form of surroundings it’s operating through the use of anti-analysis and anti-detection tips. If it runs in a digital machine, it stops.

Extra checks are executed to find out what antivirus or sandbox is perhaps operating, and the malware checks a predefined checklist of course of names associated to evaluation instruments reminiscent of wireshark, fiddler and tcpview.

How PennyWise steals knowledge

As soon as the malware has executed all of the checks, it begins multithreading for effectivity. Over 10 threads are created, every one in control of a distinct operation.

The malware solely steals RTF, DOC, DOCX, TXT and JSON recordsdata smaller than 20kb. The recordsdata are saved in a folder “grabber” within the hidden folder infrastructure created by the malware.

The malware additionally lists all put in software program on the system.

All recognized browser knowledge is stolen if the malware detects a browser it is aware of, together with login credentials, cookies, encryption keys and grasp passwords.

Discord tokens and Telegram periods are additionally stolen, and a screenshot of the person’s display screen is taken.

The registry is then queried in a hunt for cryptocurrency wallets reminiscent of Litecoin, Sprint and Bitcoin earlier than concentrating on chilly storage wallets reminiscent of Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic Pockets, Guarda and Coinomi. Pockets recordsdata are stolen from a listing of predefined folders. Cryptocurrency extensions in Chrome-based browsers are additionally focused.

As soon as all the gathering is finished, it’s compressed and despatched over to an attacker-controlled server earlier than being deleted from the pc.

The best way to defend your self from this risk

Software program ought to by no means be downloaded from unverified or untrustworthy sources. Software program ought to at all times be downloaded from reliable web sites after a cautious verify from the person.

Customers must also by no means disable their antivirus for the aim of putting in a brand new software. A malicious detection from the antivirus must be a severe warning to the person. The antivirus or safety product operating on the pc ought to at all times be saved patched together with all different software program and the working system itself.

The storage of credentials must be prevented within the browser. As an alternative, a password supervisor must be used, with one completely different password for each web site or on-line service. Multi-factor authentication must be deployed when attainable in order that when a cybercriminal is in possession of legitimate credentials, they might not use it to make use of any on-line service.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.