Bogus software update lures are being used by threat actors to deliver a new stealer malware called CoinLurker.
“Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks,” Morphisec researcher Nadav Lorber said in a technical report published Monday.
The attacks make use of fake update alerts that employ various deceptive entry points such as software update notifications on compromised WordPress sites, malvertising redirects, phishing emails that link to spoofed update pages, fake CAPTCHA verification prompts, direct downloads from phoney or infected sites, and links shared via social media and messaging apps.
Regardless of the method utilized to trigger the infection chain, the software update prompts make use of Microsoft Edge Webview2 to trigger the execution of the payload.
“Webview2’s dependency on pre-installed components and user interaction complicates dynamic and sandbox analysis,” Lorber said. “Sandboxes often lack Webview2 or fail to replicate user actions, allowing the malware to evade automated detection.”
One of the advanced tactics adopted in these campaigns concerns the use of a technique called EtherHiding, in which the compromised sites are injected with scripts that are designed to reach out to Web3 infrastructure in order to retrieve the final payload from a Bitbucket repository that masquerades as legitimate tools (e.g., “UpdateMe.exe,” “SecurityPatch.exe”).
These executables, in turn, are signed with a legitimate-but-stolen Extended Validation (EV) certificate, thereby adding another layer of deception to the scheme and bypassing security guardrails. In the final step, the “multi-layered injector” is used to deploy the payload into the Microsoft Edge (“msedge.exe”) process.
CoinLurker also uses a clever design to conceal its actions and complicate analysis, including heavy obfuscation to check if the machine is already compromised, decoding the payload directly in memory during runtime, and taking steps to obscure the program execution path using conditional checks, redundant resource assignments and iterative memory manipulations.
“This approach ensures that the malware evades detection, blends seamlessly into legitimate system activity, and bypasses network security rules that rely on process behavior for filtering,” Morphisec noted.
CoinLurker, once launched, initiates communications with a remote server using a socket-based approach and proceeds to harvest data from specific directories associated with cryptocurrency wallets (namely, Bitcoin, Ethereum, Ledger Live, and Exodus), Telegram, Discord, and FileZilla.
“This comprehensive scanning underscores CoinLurker’s primary goal of harvesting valuable cryptocurrency-related data and user credentials,” Lorber said. “Its targeting of both mainstream and obscure wallets demonstrates its versatility and adaptability, making it a significant threat to users in the cryptocurrency ecosystem.”
The development comes as a single threat actor has been observed orchestrating as many as 10 malvertising campaigns that abuse Google Search ads to single out graphic design professionals since at least November 13, 2024, using lures related to FreeCAD, Rhinoceros 3D, Planner 5D, and Onshape.
“Domains have been launched day after day, week after week, since at least November 13, 2024, for malvertising campaigns hosted on two dedicated IP addresses: 185.11.61[.]243 and 185.147.124[.]110,” Silent Push said. “Sites stemming from these two IP ranges are being launched in Google Search advertising campaigns, and all lead to a variety of malicious downloads.”
It also follows the emergence of a new malware family dubbed I2PRAT that abuses the I2P peer-to-peer network for encrypted communications with a command-and-control (C2) server. It’s worth noting that I2PRAT is also tracked by Cofense under the name I2Parcae RAT.
The starting point of the attack is a phishing email containing a link that, when clicked, directs the message recipient to a fake CAPTCHA verification page, which employs the ClickFix technique to trick users into copying and executing a Base64-encoded PowerShell command responsible for launching a downloader, which then deploys the RAT after retrieving it from the C2 server over a TCP socket.