Background
Microsoft recently reported on “cryware”, information stealers that target non-custodial cryptocurrency wallets, or hot wallets.
What is Cryware?
Cryware is a type of information stealer targeting hot wallets. Hot wallets are stored locally on a device. When a hot wallet is created, a user is given a private key, a seed phrase, a public key, and an optional wallet password. The private key is required to access the hot wallet, authorize transactions, and send cryptocurrency to other wallets. The seed phrase, typically containing twelve to fourteen words, is a mnemonic phrase used to represent the private key. The public key is the destination address for a user’s wallet. Some wallet applications also offer a wallet password option.
According to Microsoft, private keys, seed phrases, and wallet addresses follow a pattern of words or characters, allowing threat actors to use regular expressions to find this hot wallet data. Cryware uses these patterns to automate the process. TTPs used to steal wallet data include clipping and switching, memory dumping, phishing, keylogging, and scams. Clipping and switching involves monitoring a victim's clipboard contents and using string search patterns to find a string resembling a hot wallet address. If the victim uses the keyboard shortcut CTRL+V to paste the address, the cryware replaces it with the threat actor’s wallet address. Memory dumping allows threat actors to dump a browser’s memory, in an attempt to discover plaintext private keys. Alternately, threat actors can target the wallet application’s storage files. These include web wallet files, desktop wallet files, and wallet passwords.
Threat actors are increasingly targeting hot wallets as their use becomes more prevalent. Threat actors can obtain access to hot wallets and transfer the victim’s cryptocurrency to their own wallets. Since blockchain transactions are irreversible, the victim has no way to recover their lost cryptocurrency. This can create a severe financial impact for the victim.
Microsoft offered the following recommendations to help prevent cryware attacks and other hot wallet attacks:
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.