CoinLurker Malware: Fake Updates Target Cryptocurrency Wallets
Cybercriminals are leveraging fake software updates to distribute a new malware strain known as CoinLurker. According to Morphisec, this malware, written in Go, employs advanced obfuscation and anti-analysis techniques, making it a formidable tool for modern cyberattacks.
The attacks are executed through counterfeit update notifications distributed via compromised WordPress sites, malvertising campaigns, phishing emails linking to fake update pages, fraudulent CAPTCHAs, and social media platforms. All these methods exploit the Microsoft Edge WebView2 component to execute malicious code.
A distinguishing feature of CoinLurker is its EtherHiding methodology. Compromised websites embed scripts that, through Web3 infrastructure, download the final payload from Bitbucket disguised as legitimate files, such as “UpdateMe.exe” or “SecurityPatch.exe.” The executable files are signed with stolen Extended Validation certificates, enabling them to bypass security mechanisms.
A multi-layered injector embeds the malware into the Microsoft Edge process (“msedge.exe”). CoinLurker actively conceals its activities, decoding its payload in memory during execution and employing conditional checks and memory manipulation to complicate analysis.
The malware’s primary objective is to steal data from cryptocurrency wallets such as Bitcoin, Ethereum, Ledger Live, and Exodus, as well as from applications like Telegram, Discord, and FileZilla. Researcher Nadav Lorber emphasizes that the large-scale data exfiltration reflects a clear focus on valuable cryptocurrency assets and user credentials.
Simultaneously, experts at Silent Push have observed a surge in malvertising campaigns targeting graphic design professionals. Since November 2024, cybercriminals have been using Google Search ads to distribute infected downloads associated with FreeCAD, Rhinoceros 3D, Planner 5D, and Onshape.
