Microsoft recently reported on “cryware”, information stealers that target non-custodial cryptocurrency wallets, or hot wallets.
What is Cryware?
Cryware is a type of information stealer targeting hot wallets. Hot wallets are stored locally on a device. When a hot wallet is created, a user is given a private key, a seed phrase, a public key, and an optional wallet password. The private key is required to access the hot wallet, authorize transactions, and send cryptocurrency to other wallets. The seed phrase, typically containing twelve to fourteen words, is a mnemonic phrase used to represent the private key. The public key is the destination address for a user’s wallet. Some wallet applications also offer a wallet password option.
According to Microsoft, private keys, seed phrases, and wallet addresses follow a pattern of words or characters, allowing threat actors to use regular expressions to find this hot wallet data. Cryware uses these patterns to automate the process. TTPs used to steal wallet data include clipping and switching, memory dumping, phishing, keylogging, and scams. Clipping and switching involves monitoring a victim's clipboard contents and using string search patterns to find a string resembling a hot wallet address. If the victim uses the keyboard shortcut CTRL+V to paste the address, the cryware replaces it with the threat actor’s wallet address. Memory dumping allows threat actors to dump a browser’s memory, in an attempt to discover plaintext private keys. Alternately, threat actors can target the wallet application’s storage files. These include web wallet files, desktop wallet files, and wallet passwords.
Threat actors are increasingly targeting hot wallets as their use becomes more prevalent. Threat actors can obtain access to hot wallets and transfer the victim’s cryptocurrency to their own wallets. Since blockchain transactions are irreversible, the victim has no way to recover their lost cryptocurrency. This can create a severe financial impact for the victim.
Microsoft offered the following recommendations to help prevent cryware attacks and other hot wallet attacks:
- Keep hot wallets locked when not trading
- Disconnect sites connected to the wallet when not trading
- Do not store private keys in plaintext
- Double-check wallet addresses and other values when copying and pasting information for a transaction
- Terminate browser sessions following a transaction so the private key is no longer in the browser memory
- Use wallets offering MFA (multi-factor authentication)
- Vet all links to wallet websites and applications to avoid phishing schemes
- Enable hidden file extensions to double-check the file type of downloaded files
- Double-check transaction and approval details
- Do not share private keys or seed phrases
- Use a hardware wallet instead