Watch out! This Trojan spoofs search results to steal cryptocurrency
What's the story
Researchers at Kaspersky Lab have flagged a new form of Trojan, one that uses disturbing new tricks to steal cryptocurrency.
The malware installs malicious extensions or infects existing ones and then spoofs search results and crypto wallet addresses to trick users into giving away their digital money.
Most worryingly, the whole spoofing part looks eerily legitimate.
Here's more about the Trojan.
Trojan details
'Razy' Trojan and its attack
The Trojan, dubbed 'Razy', comes in the form of an executable file that spreads through the internet, particularly via advertisements on websites and file-hosting services.
It poses as legitimate software but quietly disables browser security and update features to infect the targeted system.
For this, it either installs a malicious extension or infects already existing ones on browsers like Firefox and Chrome.
Information
Infection technique varies for different browsers
Notably, the Trojan infects different browsers in different ways. On Chrome, it kills integrity checks and infects existing extensions (even pre-installed ones), while on Yandex and Firefox it installs new malicious extensions.
Attack
After settling in, the Trojan tricks users
Once the browser is infected, Razy starts the work to steal money for its creators.
As part of this effort, the TrojanGoogle-search'> Searches and replaces Bitcoin and Ethereum wallet addresses with those of the bad actors.
Plus, it modifies web pages of legit cryptocurrency websites, search results on Google and Yandex, and substitutes images of QR codes pointing to wallet addresses.
Added details
The goal is to redirect you to modified pages
That said, when you search for something related to cryptocurrencies or cryptocurrency exchanges on Google or Yandex, the results would show links to the infected/modified crypto websites (like EXMO and YoBit).
Here, you'll find a fake message explaining some 'new features' and offering cryptocurrencies at better rates - to get you into transferring money in the bad actor's account.
Information
Other renowned websites also spoofed
Notably, it is not just crypto websites that are spoofed. The Trojan even shows fake banners on Wikipedia, Telegram.org, and Russian social network Vkontakte (VK) to offer users enticing deals and trick them into paying cryptocurrencies into the attacker's account.
Prevention
How can you avoid attacks like these?
Such attacks seem legit and can compromise your finances, but you can easily avoid them by using a reputed, updated anti-virus program.
Also, as an additional line of security, don't download unknown programs and games from the internet.
Free programs serve as a bait to lure unsuspecting users and you should be very careful (check its developer's details) while installing any unknown file.