Cryptocurrency Rate Tracker Widget Contained Malware

Analysts at Doctor Web have discovered the Trojan Trojan.DownLoad4.11892 (also known as AZORult) in a program designed to track cryptocurrency exchange rates. This malware acts as a downloader, fetching another Trojan onto the infected machine that is aimed at stealing victims’ personal data.

Researchers report that as early as last fall, messages began appearing in online communities dedicated to cryptocurrencies, offering a program for tracking exchange rate changes. The developers promised a free, reliable, and certified widget. At first glance, the application seemed legitimate: it had a valid digital signature and actually displayed up-to-date cryptocurrency rates. However, it was hiding malicious functionality.

When installed, the program downloads, compiles, and executes source code retrieved from the developer’s personal Github account. This code then downloads AZORult onto the victim’s machine. This Trojan is used to steal users’ personal data, including passwords for cryptocurrency wallets.

The dangerous widget is mainly advertised in Russian, English, and Polish. In the Russian-speaking internet, the Trojan is primarily spread in miners’ groups on VKontakte. Experts warn that the malicious campaign is still active, and the malware remains available on various file-sharing services as well as on Github.