PennyWise is designed to collect data from 30 crypto wallets and crypto browser extensions, among others Stealing information.
Security researchers at Cyble Research Labs, a cyberintelligence and security company, point to a new strain of crypto-malware , called PennyWise. Accordingly, the PennyWise malware was only recently developed and is already emerging as a “emerging threat”. In a blog post, Cyble warns that scammers are spreading PennyWise around the world as free bitcoin mining software. According to Cyble, the attacker had by . June up to 34 videos on his YouTube channel containing the link to download the malware. However, the identified channel has since been removed.
Cyble Research Labs warns against PennyWise
People looking for bitcoin mining software on YouTube should be extra careful not to fall victim to PennyWise malware. Researchers from Cyble Research Labs recently found more than 80 videos that can be traced back to the same user. The videos appear to be demonstrating how bitcoin mining software works to convince viewers to download it.
The download link posted leads to a password protected zipped archive. In order to appear legitimate, the downloaded archive includes a link to VirusTotal, which reports the file as “clean”. Cyble Research Labs assures that the file classified as clean has nothing to do with the file available for download. The scammers just want to trick users into disabling their antivirus for successful malware execution.
Cyble Research Labs security researchers found:
“PennyWise is an up and coming stealer that has already made a name for itself. We’ve already seen several samples of Pennywise, suggesting threat actors may already be using it. In its current iteration, this stealer can access over 30 browsers and cryptocurrency applications like cold crypto wallets, crypto browser extensions, etc ..”
The stealer aims at the the following browser
- About 30 Chrome-based browsers
- 5+ Mozilla-based browsers
Once the browser path is obtained, the malware retrieves the username, computer name, system language and time zone details from the victim’s system. In this case, the malware converts the time zone to Russian Standard Time (RST), runs Cyble Research Labs.
PennyWise can also take screenshots and steal sessions from chat platforms such as Telegram and Discord. In addition, the malware scans the device for potential cryptocurrency wallets, cold storage wallet data, and crypto-related browser add-ons. The malware is designed to steal data from crypto wallets and further from crypto browser extensions. As reported by the security researchers, the malware “only steals files smaller than 09 are KB and have RTF, Doc, Docx, txt and JSON extensions, which are then stored in a folder called “grabber”. Once PennyWise has collected all the information, the malware compresses it into a single file, which it sends to a server under the attackers’ control.
PennyWise is also able to analyze the environment. If the malware detects that it is in a sandbox or that an analysis tool is running on the device, it immediately stops all actions. The researchers discovered that the malware also stops all operations completely when it detects that the victim’s endpoint is in either Russia, Ukraine, Belarus or Kazakhstan. Cyble Research Labs interpreted the fact as follows:
“This may indicate that the perpetrators are trying to to avoid scrutiny by law enforcement agencies in those particular countries.”
Cyble Research Labs Safety Recommendations
Avoid downloading pirated software from unverified sites.
Update your passwords at regular intervals.
Use a reputable antivirus and internet security software package on your connected devices including PC, laptop and mobile phone.
Refrain from opening untrustworthy links and email attachments without to check their authenticity beforehand.
Block URLs that could be used to spread the malware, e.g. B.Torrent/Warez.
Monitor the beacon at network level to block data exfiltration by malware or TAs.
Enable Data Loss Prevention (DLP) solutions on employees’ systems.