Researchers have noticed that the Quant Trojan has been given a significant update designed to target cryptocurrency wallets and the Bitcoin they hold.
It isn’t that surprising that cyberattackers have taken note of the recent surge in value when it comes to Bitcoin. While other virtual currencies including Ethereum are increasing gradually in value, Bitcoin has exploded, reaching $12,600 at the time of writing.
There is the risk of a crash, according to some analysts, but this is no deterrent to criminals looking to cash in on other people’s funds.
The team has been keeping tabs on the Trojan, describing the malware last year as a distributor of the Locky Zepto ransomware and Pony malware families.
Available for purchase on Russian underground forums, Quant was advertised by a user called “MrRaiX,” or “DamRaiX,” and was a simple loader capable of geographical targeting and both downloading and executing .EXEs and DLLs.
However, in a blog post, Forcepoint researchers say that a range of new and concerning features have been added to this relatively basic malware.
After stumbling across an active Quant loader administration panel on a newly-registered domain, the team found that the newest samples of Quant all still point to the same payload files from a command-and-control (C&C) server, but new files have been enabled for download by default.
The new files are bs.dll.c, a cryptocurrency stealer and sql.dll.c, an SQLite library required for the third new file, zs.dll.c, a credential stealer.
Bs.dll.c, also known as MBS, is a library which scans a victim’s Application Data directory for supported wallets, extracts any data found and sends it to the attacker’s control server. However, this function only applies to Bitcoin, Terracoin, Peercoin, and Primecoin-supporting offline wallets.
The credentials stealer, dubbed Z*Stealer, is able to steal both application and operating system account information. Once a scan is completed, any credentials grabbed by the malware are then transferred to the C&C by an HTTP POST request to a PHP page on the server side.
Z*Stealer can be used to steal credentials from Wi-Fi networks, Chrome, Outlook Express, FTP software, and Thunderbird, among others.
While the two modules can be bought separately, the researchers speculate that by including them with the Quant loader, the creator is attempting to justify the price of Quant.
“These two modules are still sold separately: MBS can be bought separately for $100 for a full license and an additional $15 for every update while Z*Stealer would be $100 for a full license with free updates, or $55 for a base license and an additional $15 for every update,” Forcepoint says. “This is as compared to a recent advert offering five full Quant licenses for $275.”
The new Quant build also contains a lengthy sleep command in an attempt to avoid detection by antivirus software and analysis in sandbox environments.
“Targeting cryptocurrency wallets is not a particularly new innovation, and targeting ‘offline’ wallets is a relatively well-established way of attempting to steal ‘coins’,” the researchers added. “Interestingly, while the stated goal of the Z*Stealer module is more general password theft, this may stand a chance of better returns by stealing user credentials for online wallet providers and exchanges such as blockchain.info and Coinbase.”