Bitcoin sitting on motherboard

DarekHelit/Shutterstock (Licensed)

This shady new malware is robbing people with bitcoins

A new IBM report details a sophisticated malware attack targeting users of cryptocurrency exchanges.


Ben Dickson


Posted on Feb 15, 2018   Updated on May 22, 2021, 12:49 am CDT

The rise in value and popularity of cryptocurrencies continues to draw the attention of cybercriminals old and new who want to make a quick buck off unsuspecting users and organizations. In its latest findings, X-Force, IBM’s cybersecurity and threat analysis unit, found that TrickBot, a dangerous Trojan malware that was previously focused on banks and credit providers, has now found a new target: cryptocurrency exchanges.

In its study of the malware’s code, the X-Force researchers discovered that TrickBot is using sophisticated tricks (hence the name) to steal sensitive account information from infected users and direct cryptocurrency purchases to the Bitcoin addresses of its owners in ways that are hard to detect.

How does it work?

TrickBot needs to be installed on a target computer before it can steal cryptocurrencies. This can happen if a user visits a malicious website or falls victim to a phishing scam. Once installed, the malware alters the functionality of the infected computer’s browser to intercept and manipulate the content sent to and received from cryptocurrency exchange websites, a technique known as a man-in-the-browser (MitB) attack.

MitB is a favored attack of banking Trojans and is especially dangerous because it can get past the encrypted communications and security measures that most online financial services use.

According to the X-Force report, TrickBot sits in the infected computer’s browser and waits for the user to attempt to visit one of the targeted cryptocurrency exchanges before activating. The targets are amateur and professional investors who buy cryptocurrency from exchanges such as the American-based site called Coinbase and the Luxembourg-based Blockchain.

As victims enter their credentials into the website of the Bitcoin exchange, TrickBot sends a copy of the information to the servers of the hacking group controlling it. “This is probably done to allow a future account takeover attack which will enable the fraudsters to perform a purchase/coin transfer from a machine they control, using the legitimate user’s wallet credentials and payment card details,” the report states.

Stealing bitcoins

The real “trick” that TrickBot performs is stealing bitcoins.

When users want to purchase bitcoins from targeted exchanges, they enter their requested amount and wallet address. They are then redirected to the payment gateway of their bank or credit provider, where they submit their billing information and complete the purchase.

According to X-Force’s findings, TrickBot intercepts the communication channel to change a single parameter: the destination address to which the bitcoins will be sent.

When the user completes the purchase, the funds are redirected to the address of TrickBot’s owners instead of the purchaser. “The victim will be charged by credit card and believe the deal was successful, expecting to see the new coins in their wallet. The Bitcoin will never reach the designated wallet but will instead be delivered to one of TrickBot’s operators’ wallets,” the report states.

What can you do to protect yourself?

TrickBot isn’t the first malware to swap Bitcoin addresses. CryptoShuffler, another Bitcoin-stealing malware discovered last year, altered Bitcoin addresses that were copied to the infected computer’s clipboard. When the user pasted the copied address into their wallet applications, the payment would be sent to the address of the malware’s owner.

However, a wary user could easily detect CryptoShuffler’s trick by using QR scanners or verifying the Bitcoin address with the original source before confirming payments. Such methods will not work with TrickBot because it performs everything under the hood while displaying the correct indicators to the user. IBM’s researchers were only able to detect the scam through packet-sniffing tools like Wireshark and reverse-engineering the malware’s code.

“As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting the various platforms and service providers in the cryptocurrency sector,” X-Force’s report says.

Users’ best defense against TrickBot is to stick to the basic principles of cybersecurity, which include the following:

  • Install browser and software security updates as soon as possible
  • Install an antivirus and keep it up to date at all times
  • Enable two-factor authentication on your cryptocurrency accounts. This will prevent hackers from gaining access to your account in case they manage to steal your credentials.

You can also read Daily Dot’s guidelines on protecting your bitcoins against theft and malware.

Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983 and his updates on Facebook.

Share this article
*First Published: Feb 15, 2018, 9:53 am CST