Full Report
Bogus software update lures are being used by threat actors to deliver a new stealer malware called CoinLurker. "Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks," Morphisec researcher Nadav Lorber said in a technical report published Monday. The attacks make use of fake update alerts that employ
Analysis Summary
# Tool/Technique: CoinLurker
## Overview
CoinLurker is a new stealer malware written in Go, designed to harvest cryptocurrency wallet data, credentials, and other sensitive information. It utilizes sophisticated obfuscation and anti-analysis techniques, often distributed via bogus software update lures.
## Technical Details
- Type: Malware family (Stealer)
- Platform: Windows (Implied by use of Microsoft Edge Webview2 and standard Windows directories)
- Capabilities: Data exfiltration (cryptocurrency wallet credentials, Telegram, Discord, FileZilla data), advanced evasion techniques, process injection.
- First Seen: Prior to December 2024 (based on article date).
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on described behavior.*
- T1055 - Process Injection
- (No specific sub-technique mentioned, but process injection is heavily implied by deploying payload into `msedge.exe`)
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing
- (Heavy obfuscation used to conceal actions and execution path)
- T1053.005 - Scheduled Task/Job (Inferred if persistence is established, though not explicitly detailed)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via malicious links/downloads)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by C2 communication)
## Functionality
### Core Capabilities
- **Data Theft:** Harvests data and credentials from cryptocurrency wallets (Bitcoin, Ethereum, Ledger Live, Exodus), Telegram, Discord, and FileZilla.
- **C2 Communication:** Initiates socket-based communication with a remote server for command and control or data exfiltration.
- **Payload Decoding:** Decodes the malware payload directly in memory during runtime to avoid file-system detection.
### Advanced Features
- **Anti-Analysis/Evasion:** Employs heavy obfuscation, conditional checks, redundant resource assignments, and iterative memory manipulations to obscure execution paths and evade detection.
- **Webview2 Execution Trigger:** Utilizes Microsoft Edge Webview2 to trigger payload execution, complicating dynamic and sandbox analysis because sandboxes often lack or fail to properly emulate Webview2 environments.
- **EtherHiding Technique:** Compromised sites inject scripts to reach out to Web3 infrastructure, retrieving the final payload from a Bitbucket repository disguised as legitimate tools (e.g., "UpdateMe.exe").
- **Code Signing Deception:** Executables are signed with legitimate-but-stolen Extended Validation (EV) certificates to bypass security checks.
- **In-Process Deployment:** Uses a "multi-layered injector" to deploy the final payload into the legitimate Microsoft Edge process (`msedge.exe`).
## Indicators of Compromise
- File Hashes: [Unknown/Not provided in article]
- File Names: "UpdateMe.exe", "SecurityPatch.exe" (Used for initial payload staging from Bitbucket)
- Registry Keys: [Unknown/Not provided in article]
- Network Indicators: C2 communications primarily use socket-based approach. Specific C2 addresses are not detailed beyond the initial file retrieval mechanism using Bitbucket.
- Behavioral Indicators: Use of Microsoft Edge Webview2 for initial execution trigger; process injection into `msedge.exe`; scanning of specific cryptocurrency wallet directories.
## Associated Threat Actors
- Unspecified threat actors orchestrating fake software update campaigns, including those observed abusing Google Search ads targeting graphic design professionals.
## Detection Methods
- Signature-based detection: Likely challenging due to heavy runtime memory decoding and obfuscation.
- Behavioral detection: Focus on monitoring execution paths involving Microsoft Edge Webview2 initiating payload deployment, suspicious process injection into `msedge.exe`, and socket-based communication originating from unexpected processes.
- YARA rules: Potentially feasible based on unique Go language constructs/obfuscation patterns if reverse-engineered.
## Mitigation Strategies
- Strict application control and whitelisting (especially around executing scripts or payloads retrieved via Webview2 interactions).
- Enhanced sandbox analysis that properly emulates the full Microsoft Edge Webview2 environment if available.
- Vigilance against software update lures delivered via malvertising, phishing, or compromised websites.
- Strong monitoring for certificate validation issues, especially processes executing code signed with EV certificates from unexpected sources.
## Related Tools/Techniques
- General Stealer Malware (e.g., those targeting crypto wallets).
- Techniques involving software update lures (a common initial access vector).
- I2PRAT (Mentioned subsequently, using I2P for C2, demonstrating parallel threat development).