The Russia-based internet security company wrote that their investigation of the activities involving the cryptocurrency scammer found them using “a wide range of commercial Trojans” - which are mainly available through secret online forums like the dark web.
"Gaining Illegal Income"
Referred to as the Investimer, Mmpower, or Hyipblock, the scammer was found to be “gaining illegal income” by using malicious Trojans such as “Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, and Pony”, Dr. Web noted.
The team of online security researchers discovered that the bad actor has been using the DarkVNC - which is reportedly “a TeamViewer-based Spy-Agent backdoor”, in addition to using HVNC backdoors, to gain access to victims’ personal computers (PCs).
Multiple Backdoor Programs Used
In order to break into users’ machines, the scammer also used the virtual networking computing (VNC) protocol - which is a simple, lightweight protocol that allows users to gain remote access to graphical user interfaces (GUIs) such as those developed by Windows operating systems (OS).
Additionally, the hacker used backdoors “based on RMS”, and “widely applied the Smoke Loader.” As explained by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a Smoke Loader is “a small application used to download other malware. It is often distributed via spam campaigns and exploit kits. ... The trojan also evades detection by changing the timestamp of its executable to prevent the malware from being located by searching recently modified files.”
Dr. Web further noted that the cybercriminal used another Loader developed by Danij and a Trojan miner that has a built-in “clipper” for modifying users’ clipboard content. To carry out the attacks, Investimer “hosts [its] controlling servers” on websites including jino.ru, hostlife.net, and marosnet.ru, the Russian cybersecurity firm determined.
Based on Dr. Web’s findings, most of these websites “are Cloudflare protected and [they] hide their [real] IP address[es].” Moreover, the internet security team believes “Investimer is mainly focused on cryptocurrency fraud, primarily with Dogecoin.”
As described by Dr. Web, the scammer(s) have launched numerous “phishing websites that replicate actual online resources.” One example is replicating a crypto asset exchange that reportedly tells users they need customized client software programs, however, this is actually a “Spy-Agent Trojan” which many unsuspecting users have now downloaded.
The experienced cybercriminal has also created a fake Dogecoin mining pool that is “available for rent at competitive prices.” This scam works by claiming that users will have access to a profitable mining pool if they simply download a “client application” from a “password-protected archive.”
However, the password scheme is actually used to bypass detection by antivirus programs and a “stealer Trojan” is then downloaded onto victims’ PCs, according to Dr. Web. Other key findings by the Russian security team were that malware programs were also being used to steal users’ digital assets including ethereum (ETH) and dogecoin by directing them to fake websites that promised rewards or giveaways.
$800,000 XRP Stolen In Phishing Scam
These sites had malicious scripts “under the guise of a special app” which allowed the scammers to steal users’ private information and/or obtain access to their crypto assets.
As CryptoGlobe reported in September, $800,000 in XRP had been stolen from users by scammers who had created a fake crypto exchange website by replicating a real exchange site.
Users were then sent fraudulent emails that contained links to the fake XRP trading platform. Those who visited these websites and entered their passwords and other private information ended up losing their funds as the hacker(s) simply used it to steal their digital assets by logging into the real XRP exchange.