Threat actors have begun using bogus software updates to deliver a new stealer malware known as “CoinLurker.” This malware uses cutting-edge obfuscation and anti-analysis techniques, making them frighteningly effective for threat actors. Continue reading this Cybersecurity Threat Advisory to learn about this new malware and how to mitigate your risk.
What is the threat?
CoinLurker uses fake update alerts and deceptive entry points, including software update notifications, malvertising redirects, and social media links, to infect machines. Once compromised, it triggers the payload through Microsoft Edge Webview2, which relies on pre-installed components and user interaction, making automated detection difficult. A key deployment technique is ‘EtherHiding,’ where scripts are injected into compromised sites to interact with Web3 infrastructure. The final payload, retrieved from a Bitbucket repository and signed with a stolen EV certificate, bypasses security protocols. It also uses intelligent detection of existing compromises and redundant resource assignments to remain undetected and blend seamlessly into legitimate system activity.
Why is it noteworthy?
CoinLurker employs multiple sophisticated techniques to evade detection and bypass security protocols. Its use of Webview2 and EtherHiding makes it particularly challenging to combat as it relies on pre-installed components and user interaction to avoid automated detection. Additionally, by masquerading payloads as legitimate tools and signing them with stolen extended validation certificates, CoinLurker adds another layer of credibility to its attack. These advanced methods make it more difficult for traditional security measures to identify and mitigate the threat, increasing the risk of widespread compromise.
What is the exposure or risk?
Once launched, CoinLurker initiates communications with a remote server and harvests data from different directories, all of which are associated with cryptocurrencies, such as Bitcoin, Ethereum, Ledger Live, and Exodus, as well as Telegram, Discord, and FileZilla. CoinLurker’s primary goal is to harvest valuable data and user credentials from cryptocurrency systems, leaving users who use cryptocurrency at great risk.
What are the recommendations?
Barracuda recommends the following actions to mitigate the risk posed by CoinLurker:
- Update security software regularly to ensure you have the latest protections.
- Educate users to not click on any suspicious ads or links in emails or notifications.
- Use proactive Endpoint Detection & Response solutions such as Barracuda XDR Endpoint Security to monitor endpoints for any anomalies.
- Enable two-factor authentication and update passwords periodically.
References
For more in-depth information on the above recommendations, please visit the following link:
- https://thehackernews.com/2024/12/hackers-exploit-webview2-to-deploy.html
- https://consumer.ftc.gov/articles/malware-how-protect-against-detect-and-remove-it#protect
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.