The Efimer cryptocurrency wallet-targeting trojan is being spread through mass email spam and compromised WordPress sites, Kaspersky reported Friday.Efimer aims to steal cryptocurrency by replacing crypto wallet addresses stored in the user’s clipboard with the attacker’s own wallet addresses. Transactions sent by the victim will then go to the attacker rather than the intended recipient.Emails sent by the attackers claim to come from lawyers representing “a major brand” and threaten legal action over an alleged infringing domain name. The body of the email itself includes few details, compelling the target to click on the attachment labeled “Demand_984175.”The attachment is a ZIP archive containing an additional password-protected ZIP archive labeled “Requirement” and an empty file with the name “PASSWORD – 47692.” The “S” characters in “PASSWORD” were noted to be the Unicode character U+1D5E6 rather than a standard capital S, in a likely attempt to prevent automated security tools from recognizing and using the password, according to Kaspersky.The nested archive contains the file “Requirement.wsf” that triggers installation of the Efimer trojan when clicked. The Windows Script File saves the file “controller.js,” containing the trojan, to the path “C:\\Users\\Public\\controller,” following a slightly different procedure depending on the privileges of the affected user.Efimer installs a Tor proxy client to establish communication with the attacker’s command-and-control (C2) server. It then periodically scans the user’s clipboard for cryptocurrency wallets, recognizing Bitcoin, Ethereum and Monero wallets and replacing them with hardcoded wallets as long as certain starting or ending characters match with the attacker’s wallets.The trojan also detects and extracts mnemonic phrases for cryptocurrency wallets, both by retrieving them directly from the clipboard and by taking screenshots in an attempt to capture the use of these phrases. The stolen details are exfiltrated to the attacker’s server via Tor.The trojan infection also works to spread itself by attempting to brute force WordPress sites from the victim’s computer. The malware retrieves lists of random words from Wikipedia and uses these as search terms to discover random WordPress sites on the web.It attempts to retrieve a list of users from these sites and attempts to make posts on the sites by brute forcing with a list of common passwords. When it succeeds in authenticating, it publishes posts offering free movie downloads, which spread the Efimer trojan if downloaded.Kaspersky has identified other versions of Efimer; for example, the version uploaded to WordPress also recognizes Tron and Solana wallets in addition to Bitcoin, Ethereum and Monero. Another version scans browser extensions for Google Chrome and Brave for cryptocurrency wallet details.Some versions of Efimer also contain a script that harvests email addresses from websites to leverage in additional spam campaigns. This script contains functions and identifiers containing the words “liame,” “liam” and similar terms in place of the word “email,” to obscure its email-harvesting intent.More than 5,000 Kaspersky users are believed to have been affected by Efimer, with more than a fifth of victims located in Brazil. The cybersecurity company recommends users avoid downloading suspicious email attachments or untrusted archives from the web. Additionally, website administrators should use strong passwords and multi-factor authentication to prevent unauthorized uploads.
Malware, Email security, Phishing, Threat Intelligence
Efimer cryptocurrency trojan spread via email, WordPress sites
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds