To the moon and hack: Faux SafeMoon app drops malware to spy on you


Cryptocurrencies rise and fall, however one factor stays the identical – cybercriminals try to money in on the craze

Cybercriminals try to capitalize on “the following large factor” within the turbulent cryptocurrency house in an try to take distant management of individuals’s computer systems after which steal their passwords and cash. A marketing campaign noticed not too long ago impersonates the SafeMoon cryptocurrency app and makes use of a pretend replace to lure Discord customers to a web site that distributes a widely known distant entry software (RAT).

SafeMoon is among the newest altcoins to, nicely, shoot for the moon. Ever since its inception six months in the past, SafeMoon has been extremely in style (and duly unstable), with the craze propelled by influencers and quite a few lovers on social media. The excitement hasn’t escaped the discover of scammers, as swindles focusing on cryptocurrency customers – together with fraud that namedrops celebrities to present it some additional attract – have been operating rampant for years.

Houston, we have now an issue

The ruse exploiting SafeMoon’s sudden reputation begins with a message (Determine 1) that scammers have despatched to plenty of customers on Discord, the place they pose because the official SafeMoon account on the positioning to advertise a brand new model of the app.

Determine 1. The message impersonating SafeMoon

When you have been to click on on the URL within the message, you’ll land on a web site (Determine 2) that’s apparently designed to look the a part of SafeMoon’s official web site – its previous model, to be actual. First reported by a Reddit person in August 2021, the area title additionally mimics its legit counterpart, besides that it provides an additional letter on the finish within the hopes that the distinction will go unnoticed by most individuals of their haste to acquire the required “replace”. As of the time of writing, the malicious web site continues to be up and operating.

Determine 2. The pretend (L) versus the legit (R) SafeMoon web site, August 2021 (supply: internet.archive.org)

Determine 3. The official SafeMoon web site, early October 2021

All exterior hyperlinks on the positioning are legit, aside from the arguably most essential one – the hyperlink that prompts you to obtain the “official” SafeMoon app from the Google Play Retailer. As an alternative of the SafeMoon app for Android units, it downloads a payload that features relatively widespread, off-the-shelf Home windows software program that can be utilized each for legit and nefarious ends.

Determine 4. The event part of the obfuscated malicious app

Upon execution, the installer (Safemoon-App-v2.0.6.exe) will drop a number of recordsdata on the system, together with a RAT referred to as Remcos. Whereas touted as a legit software, this RAT can also be being peddled on the market in underground boards, which additionally earned it an official alert from US authorities shortly after the software was launched. If used for evil ends, a RAT is commonly understood to face for a “distant entry trojan” as a substitute.

Remcos has since been deployed in plenty of campaigns, each by cybercrime and cyberespionage teams. Certainly, only a few months in the past ESET researchers noticed Remcos in what they nicknamed “Operation Spalax”, the place risk actors took intention at a slew of organizations in Colombia.

As is customary with RATs, Remcos provides the attacker a backdoor into the sufferer’s laptop and is used to assemble delicate information from the sufferer. It’s operated through a command and management (C&C) server whose IP tackle is injected into the downloaded recordsdata. Remcos’s capabilities embrace theft of login credentials from numerous internet browsers, logging keystrokes, hijacking the webcam, capturing audio from the sufferer’s microphone, downloading and executing further malware on the machine … the entire 9 yards, actually.

A cursory take a look at the RAT’s configuration file (Determine 5) offers an concept of its in depth performance.

Determine 5. A part of the Remcos configuration file binary displaying a few of what the RAT is after

Strap your self in

A number of primary precautions will go a good distance in the direction of staying secure from these scams:

  • Be cautious of any out-of-the-blue communications, be it through e mail, social media, texts or different channels
  • Don’t click on on hyperlinks in such messages, particularly once they come from an unverified supply
  • Be alert to irregularities in URLs – you’re higher off typing it in your self
  • Use sturdy and distinctive passwords or passphrases and, wherever accessible, two-factor authentication (2FA)
  • Use complete safety software program

Relating to investing in cryptocurrencies, it is advisable proceed with warning, and never simply because the market is rife with funding fraud, pretend giveaways and different scams. However absolutely the drill by now.

Indicators of Compromise (IoCs)

SHA-256 hash ESET detection title
035041983ADCFB47BBA63E81D2B98FA928FB7E022F51ED4A897366542D784E5B A Variant of MSIL/Injector.VQB

The recordsdata downloaded later as a part of the Remcos “package deal” are detected by ESET merchandise as Win32/Rescoms.B.



Leave A Reply

Your email address will not be published.