Fake bank transfer emails stealing Bitcoin and passwords

by Igor Glik & Magni Reynir Sigurðsson MalwareThreat AnalysisWeb Security

Cyren has discovered an outbreak of malware which is stealing passwords as well as Bitcoin from crypto-currency wallets on PCs. This versatile keylogger malware is being delivered as an attachment to phony bank transfer emails, which inform the recipient that they have received a deposit. The emails are originating primarily from bots in the U.S. and Singapore, and are branded as coming from several different banks, including Emirates NDB and DBS (see example below).  

The email subjects are typically financial transfer-related, including:

  • Online wire transfer payment notification
  • Payment update
  • Swift copy

The attachments are all named with variations of “Swift” including:

  • swift copy_pdf.ace
  • swift copy.zip
  • swift_copy.pdf.gz

"Swift" here refers to SWIFT codes, used to uniquely identify banks and financial institutions globally for fund transfers, and is evidently used to give the impression that these are genuine interbank transaction reports. 

BDS_Body.PNG

The email attachment is an executable file, most typically with “PDF” in the filename (Swift_Copy.Pdf.exe). Cyren researchers report that after execution it deletes itself and creates a file called “filename.vbs” in the Windows startup folder.  Every time the victim restarts or logs into his or her PC after signing out, this script runs, executing the malware itself — “filename.exe” located in AppData\Local\Temp\subfolder.

Screen Shot 2017-01-25 at 10.02.54 AM.png

The malware queries the registry for passwords and other sensitive information related to many kinds of software. It especially focuses on FTP and web browsing software and other software that could have credential information.  It gathers information from all the web browsers on the computer (stored passwords and usernames, history, cookies, cache etc.) and email clients as well.

The malware also searches the computer for crypto-currency wallets to steal.  Among the wallets it tries to find:  Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin, and Zetacoin.

The malware creates hooks for both the keyboard and the mouse. The API windows call “GetAsyncKeyState” is called which indicates that the malware is logging every keystroke (Keylogger).


 Want to learn more about cloud-based email & web security? Contact us here!

Go back