This New Malware Is Hitting Exchange Servers To Steal Info


To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a web site, which directs the users to the genuine app. Users should verify if the app was developed by its genuine developer. We also advise users to consider installing an antivirus app on their mobile device, such as Sophos Intercept X for Mobile, which defend their device and data from such threats. Recently, we were tipped off to a fraudulent mobile trading application that masqueraded as one tied to a well-known Asia-based trading company. As we investigated, we uncovered several other counterfeit versions of popular cryptocurrency trading, stock trading and banking apps on iOS and Android, all designed to steal from those fooled into using them. Researcher Marcus Hutchins, also known as “MalwareTech,” tweeted about Black Kingdom in a Twitter thread on Sunday, reporting that an unnamed threat actor ran a script “on all vulnerable Exchange servers” that didn’t actually encrypt files. Instead, it dropped a ransom note in every directory demanding $10,000 in bitcoin, which was likely intended to scare users into believing their data had been encrypted and stolen.

trade exchange malware

The CelasTradePro MSI contains “CelasTradePro.exe,” the modified version of QT Bitcoin Trader, as well as the additional “Updater.exe” executable not included with the original QT Bitcoin Trader. There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate. Our 2020 Midyear Security Roundup delves into the pertinent challenges faced amid a pandemic, including Covid-19-related threats and targeted ransomware attacks. Read more as we share how to secure systems in this increasingly precarious landscape. However, cryptocurrency-mining malware is not the only type of cryptocurrency-related threat — cybercriminals have resorted to using various tools and techniques designed to scam cryptocurrency exchange users, pilfer their funds, or steal their personal information. No, the attacks on Exchange Server do not seem to not related to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia was probably connected. Still, the disclosure comes less than three months after U.S. government agencies and companies said they had found malicious content in updates to Orion software from information-technology company SolarWinds in their networks.

Why Did Satoshi Nakamoto Choose 21m As Bitcoins Maximum Supply?

Even if the intent was good – in short, helping to protect the businesses by removing the access of cyber attackers, and authorised by the courts – this is a significant step by law enforcement. In February, the non-profit IOTA Foundation, the developers of IOTA cryptocurrency, was forced to temporarily close down its entire network following the “Trinity” cyberattack in which an unknown party exploited a vulnerability in the IOTA wallet app. Within 25 minutes of reports that funds were being stolen from user wallets, the organization froze the entire system. With more and more malicious actors piling in on the ProxyLogon vulnerabilities, the arrival of ransomware gangs was only a matter of time, and many observers had already predicted this would happen. A translated and redacted receipt recovered from files on the open directory of the fake app server.We believe the ID details could have been used to legitimize financial transactions and receipts by the crooks as a confirmation about the deposits from the victims. We also found several profile pictures of attractive people likely used for creating fake dating profiles, which suggests that dating could have been used as a bait to lure victims. Some of the fake trading apps we looked at had an interface with trading updates, wallets, fund and cryptocurrency deposit and withdrawal features that appeared to function just like their legitimate counterparts. The main difference, however, was that any transaction went into the pockets of the crooks instead. If the user completes the process of installing and launching the app, the user is asked to create an account—and in some cases, the app request an invitation code, possibly to restrict app access to those who were intentionally targeted. But some of these services are easily abused by malicious app developers.

trade exchange malware

Until that happens with Sodinokibi — and with no reason to doubt that new actors will rise next — defenders should continue to focus on security and employee awareness to limit the potential for these types of attacks. On top of these popular ransomware tactics, techniques and procedures , check out the annex at the end of this blog post for additional cues. Sodinokibi operators may steal data in advance and then resort to extortion tactics that exceed the ability of the malware itself. Those who refuse to pay up, relying on their ability to recover data, will then receive threats to have that data exposed on an auction site the group calls The Happy Blog. That’s also where it names and shames its victims, offering up information that could be of use to other criminals or even competitors. It likes big game hunting, it enjoys deploying Cobalt Strike and it dabbles in critical vulnerability abuse. It’s known as Sodinokibi/REvil, a ransomware strain that emerged in 2019 as the heir to the GandCrab ransomware, a malware family that supposedly retired from the cyber crime arena in mid-2019 after reportedly amassing illicit profits of over $2 billion. Real-time last sale data for U.S. stock quotes reflect trades reported through Nasdaq only. Intraday data delayed at least 15 minutes or per exchange requirements.

Mitigating The Impact Of Cryptocurrency Threats

Traders will return to the exchange’s open-outcry floor, known as “the Ring,” in September, after its plan to permanently close the pit drew a backlash. The exchange will instead use a hybrid process of people and electronic trading to establish opening and closing prices each day. The Justice Department said yesterday that it had traced and seized much of the ransom that a major U.S. pipeline operator paid to a Russian hacking collective last month. The ransomware attack trade exchange malware shut down the Colonial Pipeline for about a week, prompting fuel shortages and price spikes, until the company paid hackers more than $4 million worth of Bitcoin. But federal officials said that a new F.B.I. task force had recaptured most of the Bitcoins by, in essence, hacking the hackers. Bisq recommends that users check trade information under the ‘open trades’ category in user accounts, and if necessary, problems with locked-in funds can be reported to mediation.

The proprietary TradeStation platform is offered by TradeStation Securities for Equities and Futures trading. The U.S. Government has identified malware and indicators of compromise used by the North Korean government to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as “AppleJeus.” This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate.

When the victim copies a cryptocurrency address to send tokens, the trojan will swap the wallet ID that was copied for its own malicious wallet address in payment fields. Therefore, pay careful attention to the cryptocurrency address you are sending your cryptos to. This is installed on your desktop computer and gives you access to and control over your wallet. This wallet is only accessible from the computer on which it is installed and offers a high level of security. Well, I’m very versatile when it comes to security research, and I’ve done various things, including code reviews, Open-source Intelligence and dissecting remote-control apps for cars. In recent years, I’ve been more focused on fintech technologies, particularly stock trading applications. More than two years have passed, and we’ve reached out to Alejandro to glean insights into just how secure your trading experience might ultimately be.

Regularly monitor your social media preferences and privacy settings. In general, it is advisable to avoid using public devices when accessing your account, as such devices may have been infected by a virus or other malware that could pose a risk. Treat your API keys as the private key of your cryptocurrency wallet. Namely, don’t store them on your hard drive and do not disclose them to anyone. If your API keys get into someone else’s hands – your money is as good as stolen.

trade exchange malware

As we investigated the fraudulent Goldenway app, we discovered that the scheme was much more wide-ranging. We found hundreds of fake trading apps being pushed through the same infrastructure, each disguised to look like the official trading apps of different financial organizations. The scammers befriended the victim, and shifted communications to a messaging app. They avoid requests for face-to-face meetings, citing the Covid-19 pandemic.

Earlier in the month, several zero-day vulnerabilities were detected in Microsoft’s popular Exchange mail server service for enterprises. A court in Texas has authorized the FBI to fix malware in hundreds of hacked servers in the U.S. running certain versions of Microsoft Exchange Server software. The Microsoft Threat Intelligence Center is attributing the campaign to Hafnium, a state-sponsored hacking group based in China that conducts its operations primarily from leased virtual private servers in the United States. Hafnium targets U.S.-based infectious disease researchers, policy think tanks, higher education institutions, law firms, defense contractors and NGOs in hopes of exfiltrating information. Chinese state-sponsored hackers have attacked on-premises versions of Microsoft Exchange Server using zero-day exploits in an effort to obtain long-term access to victim environments.

Updater then uses dedicated QT classes to get system information including host name, OS type and version, system architecture, and OS kernel type and version. The QT Framework is a cross-platform toolkit designed for creating multi-platform applications with native Graphical User Interfaces for each platform. As the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script then launches the Updater program with the CheckUpdate parameter and runs it in the background (&). After collecting this information, “Updater.exe” encrypts the data with the hard-coded XOR key “Moz&Wie;#t/6T! 2y,” prepends the encrypted data with “GIF89a” and sends the data to “” The Department of Homeland Security does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. At first glance, the webpage on the left side seems legitimate and even supports HTTPS; closer inspection will reveal that the domain is spelled with an “õ” instead of an “o”.

After all, it even contains a valid digital signature, which belongs to the same vendor. To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS. The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will install the following two programs.

  • For example, in the case of Coinbit, the exchange is accused of using multiple “ghost accounts” to inflate trading volume.
  • While the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader for Windows is not available for download as an MSI, but only as a Windows portable executable.
  • Among other things, attackers installed and used software to take email data, Microsoft said.
  • When asked to deposit money, we were given details of the recipient bank accounts based in Hong Kong.

Innocent people tend to put trust in things that are presented by someone they think they know. And since these fake applications impersonate well-known apps from all over the world, the fraud is that more believable. If something seems too good to be true—promised high returns on investments, or professional-looking dating profiles asking totransfer moneyor crypto assets—it’s likely a scam. When asked to deposit money, we were given details of the recipient bank accounts based in Hong Kong. This looked like an individual account to which money was to be transferred using wire transfer. The bank details were different at various times, though all were based in Hong Kong.

According to Microsoft, the vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time. It is the extreme modularity of the malware’s design that makes it a significant threat worth paying close attention to. Cybereason found more than 50 different command and control servers in the wild, each running a different strain of the software, and each with wildly different capabilities. Most of the victims are small and mid-size corporate companies around the world. Microsoft said Hafnium waged “limited and targeted attacks” by working through leased virtual private servers. The software was accessed through stolen passwords or other vulnerabilities, and malware was installed in an attempt to gain data.


Consider the following recommendations for defense against AppleJeus malware and related activity. Ensure all software and hardware is up to date, and all patches have been installed. Ensure your anti-virus software is setup to download the latest signatures daily. Form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them. As of late 2020, the Windows program was not available on VirusTotal.

That’s separate from whether or not the online instance itself was vulnerable (I can imagine the implementation / infrastructure using more readonly file systems in a way that would mitigate pieces). But then again, I suspect you’d also be complaining about “Microsoft’s negligence” if they pushed out software updates/patches with little testing as quickly as they could that managed to crash/trash/brick business Exchange servers across the world. open source software is no more secure than closed source software. Dan March 10, 2021Every software is swiss cheese if an attacker is given enough time to look at it and find flaws. Microsoft is targeted heavily because they are used predominantly in the marketplace and attackers know it is a good place to focus their efforts. Jason March 8, 2021Why didn’t Microsoft alert customers to a vulnerability once it was known that it was actively being exploited? No details needed to be released that would further enable attackers, but organizations should be made aware so they can decide to mitigate risk until a patch is available, or at least plan to patch as soon as one is available. Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. In the recent months, in addition to banks, the group focused on various cryptocurrency exchanges.

Interestingly, I found that trading applications developed by an unnamed financial institution are less secure than the banking applications developed by another group of developers within the same company. I have no evidence or figures regarding the number of users moving from desktop to mobile. However, the good news about it is that, in my opinion, modern mobile OS are pretty secure nowadays, and it’s harder to attack a mobile device than a typical computer running Windows. Mobile trading apps have significantly improved over the years, and I see updates from the brokerages in the apps store very often, including those that improved security.


It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” writes Sophos principal researcher Andrew Brandt. Cybersecurity researchers have witnessed a never-seen-before strain of Windows ransomware that was able to compromise an unpatched Microsoft Exchange email server and make its way into the networks of a US-based hospitality business. DanG March 19, 2021Microsoft switched years ago from actually having professionals test their code to an Artificial intelligence based approach. It has done wonders for their stock price, but QC went out the window years ago. Kevin March 10, 2021The update in Volexity’s article pointed out that the attack occurred on January 3, earlier than DEVCORE reported to Microsoft. I agree that honeypot is one of the most possible causes of exploit leakage, provided that DEVCORE is not the attacker nor the source of the data leakage. timeless March 10, 2021At a certain point the easiest way to figure these attacks out is to leave a honeypot online and watch someone attack it.

Comments are closed.