Russia Joins Crypto Thieving List? New Malware Detected on YouTube

Paigambar Mohan Raj
Source: VOI

According to a blog published by Cyble, a new crypto-malware is stealing data from users’ wallets and browser extensions. The researchers are calling the malware “PennyWise.” Its name likely comes from the clown monster in Stephen King’s novel, “IT.” Many suspect this crypto-malware originates in Russia.

Cyble is a global cyber intelligence startup. The firm is based in Alpharetta, Georgia. According to the researchers at Cyble, the attackers spread the PennyWise malware as free Bitcoin-mining software. The attackers use YouTube, where they upload a video on how to get “free” crypto mining software. They then ask unsuspecting users to download the free software in the description. Once downloaded, the malware does the rest.

Source: Cyble

The downloaded malware file is not only zipped but also password protected. The attackers have also shared a “VirusTotal” link of a clean file to appear legitimate. The VirusTotal link is in no way related to the downloadable file.

Source: Cyble

So far, the attackers have created over 80 YouTube videos. This is in an attempt for mass effect.

Source: Cyble

The malware steals data from browser extensions such as Mozilla and Chromium. It also steals crypto wallets and login data. Cold wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi are also prone to attack. It also looks for wallets supporting Ethereum and Zcash. The malware looks for wallet files in the directory and sends a copy to the attackers.

Is this crypto-malware from Russia?

The interesting point is that the crypto-malware stops if it finds that the user is based in Russia, Ukraine, Belarus, or Kazakhstan. Moreover, the malware converts victims’ timezones to Russian standard time (RST). This leads to speculation if the attackers are of Russian origin.

So far, North Korea has been the top crypto thief. However, with sanctions hitting them hard, Russia, too, seems like a good fit for theft. Sanction-hit countries seldom have other means of procuring funds. If not the state, then it could be private hackers as well. However, in Russia, there is little that the state does not know. It would be impossible for small-time hackers to pull off big crypto heists without the state knowing about it.