A newly discovered botnet attacks Windows machines and steals user data. The malware also clears wallets with cryptocurrencies such as Bitcoin or Ether. How to protect yourself.
Enlarge
Windows: New botnet steals user data and empties crypto wallets
© Irina Anosova/Shutterstock.com
A new botnet is spreading on Windows computers. The malware installed by the botnet is designed to steal cryptocurrencies. This is reported by the Bleeping Computer news website, which specializes in IT security issues.
As is usual with a botnet, the infected Windows computers are remotely controlled and spied on by command-and-control servers. The attackers are constantly setting up new command-and-control servers of this kind, so the botnet is actively being expanded. ZeroFox researchers first discovered it in late October 2021 and dubbed it “Kraken” (not to be confused with the Kraken botnet of 2008). The botnet uses the SmokeLoader backdoor and malware downloader to spread to new Windows systems.
This is how the botnet camouflages itself on the Windows PC
After infecting a new Windows PC, the botnet adds a new registry key to continue working even after a system restart. Particularly clever: It adds an exclusion to the Windows virus scanner Microsoft Defender to ensure that its installation directory is never scanned. Also, it hides its binaries from Windows Explorer using the “Hidden” attribute.
The botnet does this damage
Kraken then provides the attacker with simple functions to spy out as much user data as possible on the infected computer. Among other things, Kraken allows downloading the RedLine Stealer malware onto the infected PC.
RedLine specializes in spying on passwords, browser cookies, credit card details, and cryptocurrency information. The Kraken botnet seems to prefer RedLine for the latter. In other words, the Kraken botnet raids wallets. According to ZeroFox, Kraken can steal information from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets. According to the security researchers, Kraken appears to be adding around $3,000 worth of cryptocurrency to the wallets of its “masters” every month. Helium’s HNT cryptocurrency is apparently unaffected due to its different wallet structure.
You can read the detailed analysis by the ZeroFox security researchers here.
How to protect yourself
Windows users must always use up-to-date antivirus software and always install security updates for Windows in a timely manner. You should also activate two-factor authentication for all your accesses.
Above all, you should never click lightly on files that are sent to you by email or as a download link! If necessary, ask the sender by telephone whether he/she actually sent you an email with a file attached. If the e-mail comes from a sender you do not know, all alarm sirens should go off.
Linux and macOS users are not at risk.