Attackers Create Elaborate Crypto Trading Scheme to Install Malware

Attackers have created an elaborate scheme to distribute a cryptocurrency trading program that installs a backdoor on a victim’s Mac or Windows PC.

Security researcher MalwareHunterTeam discovered a scheme where an attacker has created a fake company that is offering a free cryptocurrency trading platform called JMT Trader. When this program is installed, it will also infect a victim with a backdoor Trojan.

The making of a crypto trading malware scheme

JMT Trader Web Site

This scheme starts with a professionally designed web site where the attackers promote the JMT Trader program.

Twitter Account

To help promote the site and program, they also created a Twitter account that is used to promote the fictitious company. This account is fairly dormant with its latest tweet being from June.

JMT Trader GitHub Repository

If you attempt to download the software, you will be brought to a GitHub repository where you can find Windows and Mac executables for the JMT Trader application. This page also contains the source code for the trading programs for those who want to compile it under Linux. This source code does not appear to be malicious.

JMT Trader Application

Using the JMT Trade program, a user can create various exchange profiles and use it legitimately to trade cryptocurrency. That’s because this application and the above GitHub page are just clones of the legitimate QT Bitcoin Trader program that have been adopted for this malware operation.

CrashReporter.exe Backdoor

When the JMT Trader is installed, though, the installer will also extract a secondary program called CrashReporter.exe and save it to the %AppData%JMTTrader folder. This program is the malware component and acts as a backdoor. This malware currently has only 5/69 detections on VirusTotal.

A scheduled task called JMTCrashReporter will be created that launches the CrashReporter.exe every time a user logs into the computer.

Connecting to the C2 Server

According to reverse engineer and researcher Vitali Kremez, when the CrashReporter.exe executable is launched, it wil connect back to a Command & Control server at beastgoc[.]com to receive commands. These commands will then be executed by the backdoor.

It is not known if the malware drops any other payloads or is simply used as a backdoor to steal cryptocurrency wallets or exchange logins.

Regardless, if any user installed this application, they should be sure to check their computer thoroughly for malware and delete the %AppData%JMTTraderCrashReporter.exe if it is present.

Victims should then change the passwords at any exchanges they have accounts.

Possible ties to the Lazarus APT group

When analyzing the scheme, MalwareHunterTeam noted that it had a strong resemblance to a previous crypto trading application malware operation named AppleJeus.

In 2018, during an incident response job, Kaspersky discovered that a cryptocurrency exchange was compromised when an employee downloaded a trojanized cryptocurrency trading application.

“Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.”

After further research, this attack was attributed to APT group named Lazarus with ties to North Korea.

While some details have changed, the methods between the JMT Trader scheme looks very similar to the AppleJeus operating seen by Kaspersky.  Both use legitimate cryptotrading applications that are promoted from professional sites and both have a secondary program which is the malware component.

While it is not 100% confirmed that JMT Trader is a Lazarus operation, Kaspersky GReAT Senior Security Researcher Seongsu Park feels that they may be related.

This goes to show you that you need to be careful when downloading programs off of the Internet as you never know what you will be getting.