New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Elaborate Crypto Trading Scheme

Security researchers known as MalwareHunterTeam have discovered a fraud scheme in which an attacker created a fake company that offers a free cryptocurrency trading platform called JMT Trader. When someone installs this program, it also installs a backdoor Trojan. The scheme starts with a professionally-designed website that promotes the JMT Trader program. To assist in promoting the website and program, the cybercriminals also created a Twitter account that is used to promote a fictitious company. This account appears to be dormant, with its last tweet being from June of 2019.  If someone attempts to download the software, they will be taken to a GitHub repository that has both Windows and Mac executables for the JMT Trader application. This page also contains the source code for those who want to compile it under Linux. This source code does not appear to be malicious. Using the JMT Trading platform, a user can create various exchange profiles and use it to legitimately trade cryptocurrency because this application and the GitHub page are just clones of the legitimate QT Bitcoin Trader program that has been adopted for this malware program. When JMT Trader is installed, a secondary program is extracted called CrashReporter[.]exe which is the malware component of the JMT Trader program. According to reverse engineer and researcher, Vitali Kremez, when the executable is launched, it will connect back to the Command & Control (C2) server at beastgoc[.]com to receive commands, which will then be executed by the backdoor. It is currently unknown if this malware drops any other payloads or it is just used to steal cryptocurrency wallets or exchange logins.

Analyst Notes

When a person wishes to begin cryptocurrency trading, it is highly recommended to research several trading platforms to find the one that suits your needs. Most legitimate trading platforms do have some sort of a fee which enables them to provide their trading services. The old adage “If it seems too good to be true, then it is” must be used when looking at any program on the internet. Cybercriminals will continue to offer amazing looking deals to entice people to download their malicious programs. Stealing cryptocurrency has continued to be a major source of illicit income for criminals around the world. Owners of digital funds should not only be wary of installing cryptocurrency trading platforms, but they should also take precautions to protect the private keys, passwords, or other credentials needed to trade and sell their digital currency. Many malware programs include a “keylogger” component that can capture keystrokes to steal passwords as they are typed. The best practice is to handle all digital currency trading on a separate computer that is not used for checking email, general web browsing, or using other programs downloaded from the Internet.