Bitcoin

Attackers have created an elaborate scheme to distribute a cryptocurrency trading program that installs a backdoor on a victim's Mac or Windows PC.

Security researcher MalwareHunterTeam discovered a scheme where an attacker has created a fake company that is offering a free cryptocurrency trading platform called JMT Trader. When this program is installed, it will also infect a victim with a backdoor Trojan.

Tweet

The making of a crypto trading malware scheme

This scheme starts with a professionally designed web site where the attackers promote the JMT Trader program as shown below.

JMT Trader Web Site
JMT Trader Web Site

To help promote the site and program, they also created a Twitter account that is used to promote the fictitious company. This account is fairly dormant with its latest tweet being from June.

Twitter Account
Twitter Account

If you attempt to download the software, you will be brought to a GitHub repository where you can find Windows and Mac executables for the JMT Trader application. This page also contains the source code for the trading programs for those who want to compile it under Linux. This source code does not appear to be malicious.

JMT Trader GitHub Repository
JMT Trader GitHub Repository

A hidden backdoor

When a user installs the Windows or mac version, a program called JMT Trader will be installed that can be used to trade cryptocurrency at a variety of different exchanges. That's because this application and the above GitHub page is actually a clone of the legitimate QT Bitcoin Trader program that have been adopted for this malware operation.

JMT Trader Application
JMT Trader Application

When the JMT Trader is installed, though, the installer will also extract a secondary program called CrashReporter.exe and save it to the %AppData%\JMTTrader folder. This program is the malware component and acts as a backdoor. This malware currently has only 5/69 detections on VirusTotal.

CrashReporter.exe Backdoor
CrashReporter.exe Backdoor

A scheduled task called JMTCrashReporter will be created that launches the CrashReporter.exe every time a user logs into the computer.

Scheduled Task for CrashReporter
Scheduled Task for CrashReporter

According to reverse engineer and researcher Vitali Kremez, when the CrashReporter.exe executable is launched, it wil connect back to a Command & Control server at beastgoc[.]com to receive commands. These commands will then be executed by the backdoor.

Connecting to the C2 Server
Connecting to the C2 Server

It is not known if the malware drops any other payloads or is simply used as a backdoor to steal cryptocurrency wallets or exchange logins.

Windows users should also delete the %AppData%\JMTTrader\CrashReporter.exe if it is present as it is the main backdoor component.

Mac security researcher Patrick Wardle has also analyzed the Mac variant of the JMT Trader malware. While many of the details are the same for both the Windows and Mac versions, Mac users should read Wardle's article for more information that is specific to installs on macOS.

If any user installed this application, whether it be on a Mac or Windows, they should check their computer thoroughly for malware.

Victims should then change the passwords at any exchanges they have accounts.

Possible ties to the Lazarus APT group

When analyzing the scheme, MalwareHunterTeam noted that it had a strong resemblance to a previous crypto trading application malware operation named AppleJeus.

In 2018, during an incident response job, Kaspersky discovered that a cryptocurrency exchange was compromised when an employee downloaded a trojanized cryptocurrency trading application.

"Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT."

After further research, this attack was attributed to APT group named Lazarus with ties to North Korea.

While some details have changed, the methods between the JMT Trader scheme looks very similar to the AppleJeus operating seen by Kaspersky.  Both use legitimate cryptotrading applications that are promoted from professional sites and both have a secondary program which is the malware component.

While it is not 100% confirmed that JMT Trader is a Lazarus operation, Kaspersky GReAT Senior Security Researcher Seongsu Park feels that they may be related.

Seongsu Tweet

This goes to show you that you need to be careful when downloading programs off of the Internet as you never know what you will be getting.

Related Articles:

Crypto phishing service Inferno Drainer defrauds thousands of victims

npm packages caught serving TurkoRAT binaries that mimic NodeJS

GitHub reveals reason behind last week’s string of outages

Open-source Cobalt Strike port 'Geacon' used in macOS attacks

GitHub now auto-blocks token and API key leaks for all repos