Another banking trojan is trying to loot your cryptocurrency wallets

Trickbot variant adds Coinbase exchange to monitored sites

Researchers have discovered a new variant of banking trojan that targets cryptocurrency wallets instead of traditional accounts.

Coinbase, the cryptocurrency exchange site targeted in part by the latest Trickbot variant, manages multiple currencies thus offering crooks a wider platform for abuse once they succeed in harvesting the account credentials. Coinbase has been added as a target to config files for the trojan, which already attempted to loot bank accounts with numerous providers worldwide, infosec firm Forcepoint Security reports.

Cybercriminals have been developing Trickbot since its creation, adding new regional banks (most recently in the Nordics) to its hit list. Security researchers recently unearthed Trickbot campaigns targeting PayPal wallets.

The switch to digital currency accounts matches the popularity of Bitcoin and the like as a form of payment.

Dodgy messages spreading the malware pose as a "secure message" from the Canadian Imperial Bank of Commerce. A booby-trapped attachment harbours a macro downloader that ultimately downloads and executes a Trickbot variant.

Malware targeting cryptocurrency wallets is uncommon but far from unprecedented. For example, variants of the Dridex banking trojan went down this route last year. F-Secure caught a trojan that searches for Bitcoin WALLET.DAT files way back in June 2011. ®


Biting the hand that feeds IT © 1998–2017