An old form of ransomware has been re-purposed to steal bitcoin by altering the addresses of wallets and redirecting payments into accounts owned by the attacker.
Little of the malicious code has been changed so a number of security products will still identify it as the file-locking malware, despite this version’s new role in outright stealing cryptocurrency.
Detailed by researchers at Fortinet, this Bitcoin stealing campaign has its origins in Jigsaw – a form of ransomware which appeared in April 2016 and infamous for displaying the face of horror film antagonist it is named after.
The source code of Jigsaw has been available for a long time and is widely distributed online, so the attack is unlikely to be the work of the original ransomware author because anyone with knowledge of C# code could theoretically tailor the malware to their own ends.
In this instance, the author is looking to take advantage of the popularity of blockchain-based bitcoin, which is still by far the most valuable cryptocurrency.
References in the code refer simply refer to the malware as ‘BitcoinStealer’ – although this can only be uncovered by reverse-engineering, so victims will never see this give-away of the software’s intentions.
The main goal of the malware is to modify the clipboard content of Bitcoin wallets so that the currency within ends up in the hands of the attackers
While common sense might indicate that users would notice that the bitcoin address has changed, BitcoinStealer replaces the legitimate address with a forged one – but this forged address has similar or the same symbols at the beginning and end of the string, in order to trick the user into believing it is the intended address.
Researchers say that these attacks have successfully stolen at least 8.4 Bitcoin, which currently works out at around $62,000 (£48,000). So while the attack is basic, it is seemingly effective.
During the course of the investigation into the malware, Fortinet uncovered similar projects for building and modifying cryptocurrency stealers being advertised on underground forums.
This episode goes to show that even the most basic cyber attacks can result in a big loss for victims. Bitcoin users should always double-check to see if they’re sending payments to the right address.