A classy malware marketing campaign dubbed “Efimer” has emerged as a major menace to cryptocurrency customers worldwide, using a multi-vector strategy that mixes compromised WordPress web sites, malicious torrents, and misleading electronic mail campaigns.
First detected in October 2024, this ClipBanker-type Trojan has developed from a easy cryptocurrency stealer right into a complete malicious infrastructure able to self-propagation and widespread distribution.
The malware’s identify derives from a remark discovered inside its decrypted script, and its major goal facilities on cryptocurrency theft by clipboard manipulation.
When customers copy cryptocurrency pockets addresses, Efimer silently replaces them with attacker-controlled addresses, successfully hijacking transactions.
Past its core performance, the malware demonstrates exceptional versatility by incorporating further modules for WordPress web site compromise, electronic mail deal with harvesting, and spam distribution.
Spam electronic mail (Supply – Securelist)
Securelist analysts recognized that Efimer has impacted over 5,000 customers throughout a number of nations, with Brazil experiencing the best focus of assaults affecting 1,476 customers.
The malware’s attain extends throughout India, Spain, Russia, Italy, and Germany, indicating a world menace panorama.
What distinguishes Efimer from typical malware is its potential to determine full malicious infrastructure, enabling sustained assaults and steady growth of its sufferer base.
The assault vectors show refined social engineering strategies. E mail campaigns impersonate attorneys from main firms, falsely claiming area identify trademark infringement and threatening authorized motion except recipients change their domains.
These emails include password-protected ZIP archives with names like “Demand_984175.zip” containing malicious WSF information.
The p_timer variable (Supply – Securelist)
Concurrently, attackers compromise WordPress websites to publish pretend film torrents, notably focusing on standard releases like “Sinners 2025,” which include executable information masquerading as media gamers.
Technical An infection Mechanism and Persistence
The an infection course of begins when victims execute the malicious WSF or EXE information, triggering a posh multi-stage deployment.
The script’s operation cycle includes each the brute-force code and the handler for its core logic (Supply – Securelist)
Upon execution, Efimer first checks for administrator privileges by making an attempt to write down to a short lived file at C:WindowsSystem32wsf_admin_test.tmp.
If profitable, the malware provides exclusions to Home windows Defender for the C:UsersPubliccontroller folder and system processes together with cmd.exe and the WSF script itself.
The malware establishes persistence by totally different strategies relying on consumer privileges. For privileged customers, it creates a scheduled activity utilizing a controller.xml configuration file, whereas restricted customers obtain registry entries in HKCUSoftwareMicrosoftWindowsCurrentVersionRuncontroller.
The core payload, controller.js, operates as the first Trojan part, constantly monitoring clipboard contents each 500 milliseconds whereas implementing refined evasion strategies, together with rapid termination if Job Supervisor is detected working.
Efimer’s communication infrastructure depends on the Tor community, downloading the Tor proxy service from a number of hardcoded URLs hosted on compromised WordPress websites.
The malware generates distinctive GUIDs following the format “vs1a-” for sufferer identification and maintains communication with command-and-control servers at intervals of half-hour to keep away from detection whereas making certain persistent connectivity.
Equip your SOC with full entry to the newest menace knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
