Hackers Jump on Ukraine Conflict to Execute Bitcoin Heist

The Russia-Ukraine conflict might be bad for both countries, but it is a great way for hackers to take advantage earn some money using a malware that targets bitcoin wallets.


Photo: Atana / Flickr

Cybersecurity company, Bitdefender Labs, has presented a report focusing on the digital currency market.

It shows how a group of hackers has disguised malware to steal bitcoin currency. The report says that the perpetrators distributed infected software, adding that it is capable of disrupting the digital activities of Western countries fighting against Russia.

However, the program was actually a Trojan that released the Kelihos malware in their computers. Kelihos was identified almost five years ago and was used to steal the contents of bitcoin wallets. It had many other harmful effects as well. Oddly, more than 40 percent of infected servers are from Ukraine.

Doina Cosovan, a Bitcoin analyst, explained:

“Some of the IPs might indicate the origin of servers specialized in malware distribution or other infected computers that became part of the Kelihos botnet. As most of the infected IPs are from Ukraine, this either means that computers in the country were also infected, or that Ukraine itself is home to the main distribution servers.”

According to Cosovan, their team analyzed the recent spam wave and noticed that the .eml files pointed to setup.exe, and had 49 unique IP addresses. They started by examining those 49 IP addresses and found the domain associated with each. The analysis showed that the botnet is huge and interconnected, and the 49 infected IPs were just a small part of it.

Kelihos is not limited to just Bitcoin theft. It is also used to enslave host computers and form a global botnet. This allows the hackers to freely distribute spam, scan data on the infected computers, and spread the malware further.

Bitdefender said that the hackers pretended to be nationalists and tried to distribute the software to those who are against Western countries taking economic and political measures against Russia.

The message from the hacker group read:

“We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country. We have coded our answer and bellow [sic] you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.”

When the users clicked on the link, they downloaded the Kelihos malware on their systems. It then mined sensitive data from browsers and drops clean files (wpcap.dll, packet.dll, and npf.sys) to monitor the traffic

Then the Trojan communicated with the Command & Control Center by using HTTP to exchange encrypted messages. The further attack depended on the payload received. It could do any of the following:

• Steal bitcoin currency
• Communicate with other computers infected with that malware
• Send spam
• Download other malware on the system
• Steal email and FTP passwords along with other login details stored in web browsers.
• Monitor traffic and send details to the server

Over the years, there have been improvements in the way people store their digital currency, but malware makers keep upgrading their techniques to steal from unsuspecting users.

Recent reports suggest that there were several attempts to steal bitcoin wallets. In a report by Kaspersky Labs, almost 22 percent of finance related malware attacks target bitcoin currency. Malware attempts are disguised in many ways, including wallpaper apps on the Google Play store.

This recent attack has grabbed the attention of financial regulators and government entities. The US Consumer Financial Protection Bureau has already warned users against malware problems related to digital currencies.

According to Coin Telegraph, there are many other ways in which bitcoin scam artists operate, including phishing attempts, frauds, pyramid schemes, and gambling sites.