For at least a week, the Jaxx cryptocurrency wallet website had a fraudulent version that served malicious links to trick users into revealing the backup phrase that protected the virtual funds.
The website, located at jaxx[.]ws, was using Cloudflare's content delivery network, probably to make its hosting provider more difficult to discover.
Security researchers from Flashpoint found it on August 30, after being alerted by a number of infections linked to the cybercriminal operation. However, the campaign may have started on August 19, which is the creation date of the attacker's domain.
Owned by Canadian blockchain startup Decentral, Jaxx is a popular cryptocurrency wallet that enjoys over 1.2 million downloads on both desktop and mobile platforms. It supports multiple types of coins, including Bitcoin and Ethereum.
Apart from registering a domain name that could be easily confused with the legitimate Jaxx website, jaxx[.]io, and using Cloudflare, the attackers also copied the original version line-by-line.
More than this, visitors to the spoofed variant of Jaxx website had little to suspect the trickery "since the attackers went to the trouble of installing the legitimate wallet software onto victims computers," Flashpoint explains in a report shared with BleepingComputer in advance.
At the same time, though, malware for macOS or Windows under the form of a Java Archive (JAR) and a .NET app, was silently installing in the background. If one asked for the mobile version of the wallet, they would receive the legitimate file.
Flashpoint senior malware researcher Paul Burbage says that the malware for Windows could exfiltrate files to a command and control (C2) server, as well as download KPOT Stealer and Clipper, two malware pieces marketed on Russian underground forums.
Clipper's purpose is to monitor the clipboard for digital wallet addresses and to replace them with others controlled by the attacker. KPOT stealer vacuums information from the local drive.
The macOS JAR file pointed to a Russian perpetrator, too, as it was compiled with DevelNext, a Russian IDE (integrated development environment).
Burbage told BleepingComputer that Flashpoint was able to determine that the fraudulent site was hosted by the Russian VPS provider hostland[.]ru.
When users ran the JAR file, they would see a message informing of technical problems that prevented the creation of a new wallet.
Next, they were directed to an application screen that asked for the Jaxx wallet backup phrase. This is actually the password that decrypts the wallet to access the digital funds.
"The backup phrase is then exfiltrated to the attacker’s web server while the victim receives another mixed Russian and English-language error message that states, “Server is not available. Try again in 4 hours,” Flashpoint says.
Windows users launching the .NET application get a file purporting to be a beta version of the Jaxx wallet from a Google Docs location.
After installation, the malware sends all the local TXT, DOC and XLS files to the C2 server, most likely for the attackers to search them for cryptocurrency wallet addresses.
The next stages in the operation are to download the legitimate Jaxx software, KPOT stealer and Clipper malware.
Flashpoint says that Cloudflare suspended its services to the spoofed website and Jaxx support was prompt in taking actions against the fake website, to protect its customer base.
In a conversation with BleepingComputer, Burbage wanted to point out that this was a social engineering campaign against Jaxx wallet users, and there was nothing to indicate that a vulnerability or security laps within the Jaxx software or its systems.