A site spoofing the official Jaxx website was discovered packing several infections for Windows and Mac machines, and has been shut down.
A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.
Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.
Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.
Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.
"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.
Malware Skips Mobile, Goes to Desktop
This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.
Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.
Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code.
If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.
The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.
Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.
KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.