Security researchers known as MalwareHunterTeam have discovered a fraud scheme in which an attacker created a fake company that offers a free cryptocurrency trading platform called JMT Trader. When someone installs this program, it also installs a backdoor Trojan. The scheme starts with a professionally-designed website that promotes the JMT Trader program. To assist in promoting the website and program, the cybercriminals also created a Twitter account that is used to promote a fictitious company. This account appears to be dormant, with its last tweet being from June of 2019. If someone attempts to download the software, they will be taken to a GitHub repository that has both Windows and Mac executables for the JMT Trader application. This page also contains the source code for those who want to compile it under Linux. This source code does not appear to be malicious. Using the JMT Trading platform, a user can create various exchange profiles and use it to legitimately trade cryptocurrency because this application and the GitHub page are just clones of the legitimate QT Bitcoin Trader program that has been adopted for this malware program. When JMT Trader is installed, a secondary program is extracted called CrashReporter[.]exe which is the malware component of the JMT Trader program. According to reverse engineer and researcher, Vitali Kremez, when the executable is launched, it will connect back to the Command & Control (C2) server at beastgoc[.]com to receive commands, which will then be executed by the backdoor. It is currently unknown if this malware drops any other payloads or it is just used to steal cryptocurrency wallets or exchange logins.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased