LogRhythm Labs has identified an emerging targeted BitCoin theft campaign while evaluating an interesting piece of malware that is actively targeting users of popular BitCoin exchanges.This malware arrives in the form of a phishing message: This appears to be a mass-targeted phishing message as many users have already reported receiving the same e-mail.After reviewing this, it is obvious that they have targeted people whom they know use BitCoin by way of scraping popular BTC sites and leaks for e-mail addresses., /ses/) used for sending mass-mails.Running the shortened link through some quick online tools uncovers some interesting information and flags the link as malicious: The shortened link (hxxp://goo.gl/sFgbEJ) redirects here: hxxp://skodegouw.nl/web/includes/Backup.zip and downloads the Backup.zip file.Analyzing the metrics around this short URL show that just under two thousand users have clicked on the link since the malware campaign was launched at around 4pm on on January 6th.

A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack.When running this .zip file through Virus Total, only 8 Antivirus products are currently able to detect the malware.After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack.They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless “show hidden files” is turned on in Windows.Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.Followed by calls to multiple DLLs… It gets better though.The Password.txt.lnk file launches cmd.exe and runs a few interesting commands… Reviewing the wallet.dat file with strings discloses the phisher’s BTC wallet addresses.A team of 4-people: Liquid, Kaz, Abz, and Frosty. EDIT: Thanks to reddit we have discovered that these BTC addresses are most likely not related to the phisher’s, but are those of users who may have fallen victim to this attack.

Initially, the Password.txt file shows up as hidden as the attackers want the user to click Passwords.txt.lnk first.When this file is viewed it is obvious that this is a packed executable by way of the UPX “signature” line.Running this file launches a blank command prompt window, followed by a program masquerading as notepad, then the real notepad application, which displays the “password” to the wallet.dat file.ethereum gbp chartThis file continues to run silently and remains open even after notepad is closed.bitcoin calculator iosThis is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC.ethereal harp music

Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue.We are currently working to analyze this in more detail and plan to release additional information on this malware in a follow-up blog post.ethereum example contractsLogRhythm Labs dug deeper into this malware and more information is now available in our follow-up post.bitcoin scryptIn last week’s post, we talked about Bitcoin, Tor and some of the hidden websites only accessible via Tor, such as Silk Road, which was shut down by the FBI on October 1st.bitcoin lecture notesWell, just over a month later and Silk Road is back online: It only took a day and they already had over 20,000+ users on the site: The new admin of the site?400 ghz bitcoin

How’s that possible, he’s been arrested right?Those familiar with the movie “The Princess Bride” will get the joke here – the Dread Pirate Roberts was not one man, but rather a series of individuals who periodically pass the name and reputation on to a chosen successor.bitcoin thriveTime will tell how long the new Silk Road lasts, but it’s clear that these secret websites and Tor aren’t going away anytime soon, and neither is the currency that drives these sites, Bitcoin.ethereum based startupsWe received a lot of positive feedback on the last Bitcoin post and some suggestions for follow-up posts.One of the themes was around identifying Bitcoin wallets, especially on a USB flash drive or other removable media.First, let’s take a look at the Bitcoin wallet software out there: As you can see, there are a few different options.

This time I’ll focus on the Bitcoin-Qt client, which is a full Bitcoin client and builds the backbone of the network, the standard client used.If you’re examining an image with the Bitcoin-Qt client present you’ll see a folder structure and files under the Users[username]AppDataRoamingBitcoin folder similar to this: Note the “wallet.dat” file and “debug.log”.The wallet.dat file is (you guessed it!)the file containing the wallet data for the user.The debug.log file contains (you guessed it again) debugging information, including communication on the Bitcoin P2P network, including timestamps in some cases.The wallet.dat file is easy to identify by filename, but backups of the wallet can be made, and can be called whatever the user chooses.If you are examining removable media or other locations where you suspect you are dealing with a Bitcoin wallet file (from the Bitcoin-Qt client), you can check a couple bytes at offset 0x12 for the string “b1” which may identify the file as being a Bitcoin wallet: Another easy check is to export the file and rename it to “wallet.dat”.