Security researchers have uncovered a new remote-access trojan for sale on the dark web that’s attacking hardware to monitor trading and cryptocurrency-related activities.
Zscaler ThreatLabZ team came across , called Saefko, which is written in .NET and has multiple functionalities. It belongs to the Remote Access Tool (RAT) family, enabling cyber criminals to take over accounts and automate fraud through opening a backdoor for remote control of the targeted computer.
Once installed on the device, fraudsters easily gain access to victim machines to steal credentials, monitor user behavior by logging keystrokes, activating the system’s webcam, taking screenshots, formatting drives, and more. In other words, the intruder can do just about anything on the targeted computer, researchers said.
Zscaler ThreatLabZ team explains that RATs are usually downloaded when a user opens an email attachment or install infected apps or games to his device.
Most alarmingly though, is that Saefko employs a number of tactics to fetch the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, .
Among other things, it searches for particular crypto websites that have been visited by the user and sends collected data to its server for further instructions. The malware also on the system to check if it’s worth compromising, and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.
According to the researchers’ findings, the list of crypto sites it searches includes:
Saefko only installs itself if it thinks it will go undetected and after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.
The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to .
“To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren’t from a trusted source. At the administrative level, it’s always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT,” it explains.