Bitcoin is not the only crypto-currency targeted by malware now that a Trojan designed to steal Litecoins has been discovered.
There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both.
One of the more recent “cryptocurrency-related-malware” families is Skynet, which is detected by ESET as Win32/Scoinet. Probably the most unconventional feature of this trojan is that its botnet command and control servers are run as Tor Hidden Services for the twin purposes of anonymity and thwarting efforts to takedown or sinkhole them. Win32/Scoinet also employs the Zeus banking Trojan for harvesting online credentials and the open source CGMiner software for mining BitCoins.
ESET’s LiveGrid telemetry indicates that the Skynet botnet is quite active, and we have also observed, monitoring the botnet, that it has been carrying out DDoS attacks against Bitcoin exchanges. Rapid7 sheds more light on the subject in their blog post. Our LiveGrid statistics show a rise in activity towards the end of March 2013. This makes sense in the light of the waves of DDoS attacks that followed in April. Interestingly, by our count the most Win32/Scoinet detections have been seen in the Netherlands.
Figures 1 and 2 - ESET LiveGrid detection statistics for Win32/Scoinet.A
Add to all of this the recent news about ESEA, a popular game service that served Bitcoin-mining malware to gamers, and it becomes obvious that digital currency is currently a trending topic, among malware writers as well as amongst gamers.
Recently we’ve happened upon a new trojan that attempts to steal virtual cash in the form of the alternate digital currency, Litecoin. The trojan, which ESET detects as MSIL/PSW.LiteCoin.A, is extremely unsophisticated. All it does is tries to send the user’s wallet.dat file to an FTP server under the control of the attacker. The Trojan code, written in C#, decompiles to this:
Figure 2 - Decompiled code of MSIL/PSW.LiteCoin.A
The web provider has been made aware of the situation and connecting to the attacker’s domain generates the following warning:
Figure 3 - Warning displayed by attacker's FTP site
According to our telemetry, Win32/PSW.LiteCoin.A is not very widespread at the moment, but Litecoin may become a target for attackers as its popularity and userbase increases. This younger peer-to-peer cryptocurrency is based on Bitcoin and offers several improvements. Interestingly, the largest Bitcoin exchange, Mt.Gox, announced in April its plans to begin trading Litecoins, but this was put on hold due to DDoS attacks against it: these were also carried out by the Skynet botnet, as mentioned above.