Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Fake bank transfer emails stealing Bitcoin and passwords

Cyren has discovered an outbreak of malware which is stealing passwords as well as Bitcoin from crypto-currency wallets on PCs. This versatile keylogger malware is being delivered as an attachment to phony bank transfer emails, which inform the recipient that they have received a deposit. The emails are originating primarily from bots in the U.S. and Singapore, and are branded as coming from several different banks, including Emirates NDB and DBS (see example below).

The email subjects are typically financial transfer-related, including:

  • Online wire transfer payment notification
  • Payment update
  • Swift copy

The attachments are all named with variations of “Swift” including:

  • swift copy_pdf.ace
  • swift
  • swift_copy.pdf.gz

“Swift” here refers to SWIFT codes, used to uniquely identify banks and financial institutions globally for fund transfers, and is evidently used to give the impression that these are genuine interbank transaction reports.


The email attachment is an executable file, most typically with “PDF” in the filename (Swift_Copy.Pdf.exe). Cyren researchers report that after execution it deletes itself and creates a file called “filename.vbs” in the Windows startup folder. Every time the victim restarts or logs into his or her PC after signing out, this script runs, executing the malware itself — “filename.exe” located in AppDataLocalTempsubfolder.

Screen Shot 2017-01-25 at 10.02.54 AM.png

The malware queries the registry for passwords and other sensitive information related to many kinds of software. It especially focuses on FTP and web browsing software and other software that could have credential information. It gathers information from all the web browsers on the computer (stored passwords and usernames, history, cookies, cache etc.) and email clients as well.

The malware also searches the computer for crypto-currency wallets to steal. Among the wallets it tries to find: Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin, and Zetacoin.

The malware creates hooks for both the keyboard and the mouse. The API windows call “GetAsyncKeyState” is called which indicates that the malware is logging every keystroke (Keylogger).

Want to learn more about cloud-based email & web security? Contact us here!

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...