Bitcoin Malware: Malicious Program Disguising as Open Source Trading Program
I am a cryptocurrency enthusiast who has been into cryptocurrency for more than a year. I’m largely involved in Bitcoin and Litecoin community by helping victims in the tracing of scammers and retrieving their coins back.
Security in cryptocurrency has become a serious issue where many victims fell for scams, phishing and malicious programs. For the ease of this post, I will be referring all cryptocurrency as Bitcoin (the de facto cryptocurrency coin).
For those who are unfamiliar with Bitcoins, here is a 3 minutes crash course video:
Attackers today mainly target wallet.dat file in the victim’s computer; the file created by Bitcoin client which contains the private key to the access of the coins. There are mining botnets as well, and it will be a topic that I will be discussing next time. Many attacking techniques used by wallet hackers are pretty common in the eyes of security experts. However, there are exceptionally new ways of scamming, and distributions of malware in this cutting edge community.
A day ago, I came across a post on reddit announcing a new open-source trading program called cryptocointrader that can be downloaded from SourceForge. It seems to have many features and caught my attention. Several users claimed that the source code was clean and safe to download. To be sure, I downloaded both the source code and the precompiled executable to verify on my virtual machine.
The program extracted qtbitcoin trader client (legitimate open-source trading program) and installed some suspicious executables (bridgemigplugin.exe, vbc.exe). After some investigation, brigemiplugin.exe description on task manager appears to be open broadcaster software. After some Googling, it is obvious that the program is doing a live/recording video stream through another legitimate open-source program from open broadcaster software http://obsproject.com/.
I also ran Wireshark to analysis the traffic produced by the malware. It appears that there are connections initiated from a Russian IP address, 126.96.36.199.
It turns out that the attacker has pieced together several legitimate open-source programs, and exploits the public’s trust in SourceForge with a precompiled malware that is different from the source code uploaded.
After the discovery, I’ve posted a reddit post in the Bitcoin community warning everyone not to download the malicious trading program. it had since gone viral, with several members from the community tipping me for increasing their security awareness. It turns out that some of the redditers did in fact downloaded the malware and ran it.
This incident serves as a good example why one shouldn’t put their full trust in open source programs by assuming precompiled executables are safe.
Tan Rong Shun.