This Week In Blockchain and CyberSecurity News - February 1, 2019

Trojan Infects Various Browser Extensions And Spoofs Searches To Steal Cryptocurrency

A trojan has been targeting legitimate browser extensions and spoofing various search results with the hopes of stealing cryptocurrency. According to Kaspersky Lab, the malware has been identified as Razy, a trojan that utilizes many unusual techniques when infecting systems. Also known as Trojan.Win32.Razy.gen, this malware is typically distributed through malvertising, or on free file hosting services that disguise themselves as legitimate software. Razy focuses on compromising browsers such as Google Chrome, Mozilla Firefox, and Yandex. It then is able to install malicious browser extensions and deploy a new tactic that has rarely been seen. By disabling integrity checks for extensions and automatic updates for browsers, the trojan is also able to infect already installed, legitimate extensions. Razy has the ability to spoof Google and Yandex search results on infected browsers, allowing malicious actors to trick users into visiting malicious web pages. These search results are geared towards cryptocurrency websites in an attempt to steal user credentials. In many cases, the trojan downloads scripts that modify web pages/ modify various browser extensions, along with impersonating QR codes that point to crypto wallets.

Read more about Razy here

Cryptopia Hacker Strikes Again, 2 Weeks after Stealing $16 Million in Crypto

About two weeks ago Cryptopia was put under maintenance as they experienced a hack that was estimated to have resulted up to $2.4 million stolen from the exchange. Recently the blockchain data science firm Elementus figured out that the Cryptopia hackers had gotten away with $16 million in cryptocurrency. After 15 days since the original attack, the hackers have struck again. The attackers removed funds from approximately 17k Cryptopia accounts and sent the funds to the address 0x3b46c790ff408e987928169bd1904b6d71c00305. The stolen funds appear to be mined tokens deposited directly to the exchange from different pools and have ultimately been moved to 0xaa923cd02364bb8a4c3d6f894178d2e12231655c, which has a balance of roughly over $3.2 million (ccn). Elementus has concluded that Cryptopia does not have control over its Ethereum wallet and the hacker still does. Some state that this may not be a second hack but a continuation of the original attack. In either scenario, these incidents combined are set to be the largest security attack against Cryptopia.

Read more about the Cryptopia hack here

Aetna, IBM, and PNC Bank Launching New Blockchain Healthcare Network

A collaboration between PNC Bank, IBM, and Aetna(now owned by CVS Health) was created to design a blockchain healthcare network that aims to improve transparency and interoperability in the industry. The initiative focuses on using the technology to address many industry challenges, including “promoting efficient claims and payment processing, to enable secure and frictionless healthcare information exchanges, and to maintain current and accurate provider directories” (fiercehealthcare). The overall goal is to transform the healthcare industry and create an inclusive blockchain network in a highly secure, and shared environment. This collaboration is one of the several healthcare teams launched in the past year with a focus on applying blockchain technology for healthcare uses. IBM and others plan on adding additional members to the network in the coming months including health organizations, healthcare providers, startups and technology companies. There will be several areas of focus within this collaboration, including leveraging blockchain technology for bundled payment arrangements, administrative waste in healthcare, and eliminating areas of inefficiency and redundancy(fiercehealthcare). Blockchain technology will be able to provide a transparent, accurate, and immutable ecosystem to the healthcare industry. It is exciting to see the increasing interest of blockchain technology in various industries, and as more companies understand the benefits and use of the technology, more adoption will occur.

Read more here

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

A new wave of attacks from an information stealing Trojan labeled Ursnif has been using PowerShell and file execution mechanisms to hide from anti-malware solutions. Unisif, which is also known as Gozi IFB, or Dreambot was initially focused on stealing emails and online banking credentials from browsers. The new malware campaign has added new functionality as it has learned the ability to deploy other malware as well. The campaign uses phishing tactics which require enabling embedded macros. Once an unsuspecting user enables the macros in a Word document, a Powershell script gets launched and starts numerous techniques to download Ursnif and GandCrab variants. An observation of a spam campaign over the past month that distributes Ursnif noticed the trojan installs the GandCrab ransomware and leverages several different approaches to distribute malicious harm. Ursnif uses fileless persistence- making it difficult for traditional anti-virus techniques to filter out the c2 traffic from normal traffic. It also uses CAB files to compress its data prior to exfiltration, making the malware even more challenging to stop.

Get more info here

Mac “CookieMiner” Malware Aims to Gobble Crypto Funds

A newly discovered Mac malware dubbed CookieMiner targets MacOS users and steals the cookies related login credentials for cryptocurrency exchanges like Bittrex, Bitstamp, Binance, and Coinbase.  It is still unknown how the malware gains access to systems, but once it is on a system it uses Shellscript to steal Google Chrome and Apple Safari browser cookies from the victims’ machine and then uploads them to a folder on a remote server. The malware can access SMS data if the victim has used iTunes to sync their Mac with their iPhone while their system was infected. Using the stolen login credentials, web cookies, and SMS data, malicious actors can now attempt to bypass multi-factor authentication security measures set in place, ultimately allowing them to steal funds from different users. Once the hackers have completed stealing cryptocurrency funds, they drop a cryptocurrency miner that appears to be highly active. To make matters worse the malware also distributes scripts for persistence and remote control of the infected machines, allowing hackers to check in and send commands.

Get more information here