As the crypto industry grows more visible and valuable, it has come to the attention of advanced threat actors.  Recently, Halborn has identified an attack campaign against crypto groups that is believed to be performed by an APT (Advanced Persistent Threat) affiliated with China.

Analyzing the Malware

A recent report stated that the author “recently discovered a Remote Access Trojan (RAT) virus posted in a crypto investment public Telegram chat.  The company says the purpose of this Trojan was to steal Bitcoin keys.”  Based on an investigation of the malicious files attributed to this attack, Halborn has identified the malware as a Gh0stRAT variant likely associated with an unknown Chinese APT.

Gh0stRAT is a well-known RAT that provides the attacker with various capabilities, including the ability to remotely control and monitor the target computer.  Among other features, this Gh0stRAT variant can capture keystrokes and screenshots, use the microphone and camera, and download files from the infected computer.

After being dropped and executed on the computer, this malware copies itself to the SysWoW64 directory with the name Skc2sk.exe.  It then adds itself as a startup service to maintain persistence across reboots and deletes the original file using the command prompt.  As part of this process, the malware also connects to a command and control (C2) server on a hosting provider commonly used by the suspected Chinese APT behind the attack.

Once running on the infected machine, the malware takes various actions, including:

  • Attempting to run with Administrator permissions
  • Checking if the computer supports RDP, which would provide the attacker with remote access
  • Likely uses mimikatz to dump passwords from Windows as indicated by the string “GetMP privilege:debug sekurlsa::logonpasswords exit” in the malicious process; memory
  • Likely scans for active antivirus programs on the system from a list of associated AV names

These and other capabilities indicate that the malware is a RAT.  

Due to the presence of certain strings within the malware and details of the malware’s actions on an infected system, this malware is identified as a Gh0stRAT variant similar to Zerogost.  These malware variants and the command and control infrastructure used by this malware are commonly attributed to attacks by an unknown APT affiliated with China.

Protecting Against Malware Attacks

This malware is used to collect various types of sensitive information; however, there is no evidence that it is specifically targeting the private keys of blockchain accounts.  However, the malware’s ability to collect keystrokes and login credentials could lead to the compromise of these accounts.

This attack campaign used a phishing attack within Telegram channels associated with crypto investing.  When on Telegram and other communications platforms, be cautious about downloading and opening any files.  If you need to download a file, make sure that it is scanned by a reputable antivirus before opening it.

Halborn Identifies APT Campaign Targeting Crypto Groups
Rob Behnke
07.28.2022