Trojan malware to empty coin wallets doesn’t have to cost a lot: pros detail Gorgon Group attacks

crypto wallets

A new widespread attack on crypto wallets is showing how easy it can be for dedicated hackers to get into user accounts and empty them of their digital value.

Coindesk reports today on a low-cost Trojan malware run that has cleaned out various investors by sending spearphishing emails and getting in the back door to employ malicious code.

Security pros are calling this the MasterMana Botnet, and they’re linking it to the Gorgon Group, a shadowy cabal of figures traced by experts to regions of Eastern Europe from which they have allegedly sown havoc on systems around the world.

“The Gorgon Group has spent the last year performing hacking operations against a range of global targets, … including a spree against government agencies from the U.S., U.K., Spain and Russia,” wrote Jeff Stone at CyberScoop in April.

According to some with knowledge of underworld hacking, the Gorgon Group had been using a low-cost Trojan called Revenge Rat to get into systems.

Here’s how the New Jersey Cybersecurity and Communications Integration Cell describes this malware:

“RevengeRAT is a remote access trojan discovered by Cisco Talos researchers using both this RAT and Orcus RAT as malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies. It is capable of opening remote shells, allowing threat actors to manage file systems, processes, registry, and services in order to log keystrokes, dump victims’ passwords, and to access the webcam. Threat actors use DDNS to conceal their C2 servers and point the DDNS to the Portmap service to provide an additional layer of infrastructure obfuscation.”

Reports like this make crypto wallet hacking look like child’s play – but there are things that users can do to protect themselves from this type of capricious asset hijacking.

One of the most popular and often recommended strategies is to get in and get out – experts warn against keeping digital assets linked to an exchange. After the exchange, they say, user should immediately remove the assets onto a flash drive and keep them in cold storage. Assets that are not linked to the Internet are pretty secure, whereas any that are kept in globally connected systems or networks can often be pried away by greedy fingers.