Malicious Malware Saefko Digs into Devices of Crypto Users

Security researchers have uncovered a new remote-access trojan for sale on the dark web that’s attacking hardware to monitor trading and cryptocurrency-related activities.
Zscaler ThreatLabZ team came across , called Saefko, which is written in .NET and has multiple functionalities. It belongs to the Remote Access Tool (RAT) family, enabling cyber criminals to take over accounts and automate fraud through opening a backdoor for remote control of the targeted computer.

Once installed on the device, fraudsters easily gain access to victim machines to steal credentials, monitor user behavior by logging keystrokes, activating the system’s webcam, taking screenshots, formatting drives, and more. In other words, the intruder can do just about anything on the targeted computer, researchers said.
Zscaler ThreatLabZ team explains that RATs are usually downloaded when a user opens an email attachment or install infected apps or games to his device.
Most alarmingly though, is that Saefko employs a number of tactics to fetch the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, .
Among other things, it searches for particular crypto websites that have been visited by the user and sends collected data to its server for further instructions. The malware also on the system to check if it’s worth compromising, and then uses a hidden updater tool to control infrastructure and initiate the process of stealing the cryptocurrency via a second-stage installation.
According to the researchers’ findings, the list of crypto sites it searches includes:
 

etoro.com 24option.com puatrack.com/coinbull2/ luno.com paxforex.com binance.com coinbase.com cex.io changelly.com coinmama.com xtrade.ae capital.com paxful.com kraken.com poloniex.com gemini.com bithumb.com xcoins.io cobinhood.com coincheck.com coinexchange.io shapeshift.io bitso.com indacoin.com cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br bitflyer.com bitfinex.com bit-z.com quadrigacx.com quadrigacx.com big.one lakebtc.com wex.nz kuna.io yobit.io zebpay.com hitbtc.com bx.in.th trezor.io electrum.org blockchain.com crypto.robinhood.com exodus.io mycelium.com bitcointalk.org btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/ bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com

 
Saefko only installs itself if it thinks it will go undetected and after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.
The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to .
“To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren’t from a trusted source. At the administrative level, it’s always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT,” it explains.