{"id":114192,"date":"2022-05-17T09:00:00","date_gmt":"2022-05-17T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=114192"},"modified":"2023-10-13T08:28:37","modified_gmt":"2023-10-13T15:28:37","slug":"in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/","title":{"rendered":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks"},"content":{"rendered":"\n
The steep rise in cryptocurrency market capitalization<\/a>, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and the emergence of a threat type we\u2019re referring to as cryware<\/em>.<\/p>\n\n\n\n Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets<\/a>. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.<\/p>\n\n\n\n Cryware signifies a shift in the use of cryptocurrencies in attacks: no longer as a means to an end but the end itself. Before cryware, the role of cryptocurrencies in an attack or the attack stage where they figured varied depending on the attacker\u2019s overall intent. For example, some ransomware campaigns prefer cryptocurrency as a ransom payment. However, that requires the target user to manually do the transfer. Meanwhile, cryptojackers\u2014one of the prevalent cryptocurrency-related malware\u2014do try to mine cryptocurrencies on their own, but such a technique is heavily dependent on the target device\u2019s resources and capabilities.<\/p>\n\n\n\n With cryware, attackers who gain access to hot wallet data can use it to quickly transfer the target\u2019s cryptocurrencies to their own wallets. Unfortunately for the users, such theft is irreversible: blockchain transactions are final even if they were made without a user\u2019s consent or knowledge. In addition, unlike credit cards and other financial transactions, there are currently no available mechanisms that could help reverse fraudulent cryptocurrency transactions or protect users from such.<\/p>\n\n\n\n To find hot wallet data such as private keys, seed phrases, and wallet addresses, attackers could use regular expressions (regexes), given how these typically follow a pattern of words or characters. These patterns are then implemented in cryware, thus automating the process. The attack types and techniques that attempt to steal these wallet data include clipping and switching<\/a>, memory dumping<\/a>, phishing<\/a>, and scams<\/a>.<\/p>\n\n\n\n As cryptocurrency investing continues to trickle to wider audiences, users should be aware of the different ways attackers attempt to compromise hot wallets. They also need to protect these wallets and their devices using security solutions like Microsoft Defender Antivirus<\/a>, which detects and blocks cryware and other malicious files, and Microsoft Defender SmartScreen<\/a>, which blocks access to cryware-related websites. For organizations, data and signals from these solutions also feed into Microsoft 365 Defender<\/a>, which provides comprehensive and coordinated defense against threats\u2014including those that could be introduced into their networks through user-owned devices or non-work-related applications.<\/p>\n\n\n\n In this blog, we provide details of the different attack surfaces targeting hot wallets. We also offer best practice recommendations that help secure cryptocurrency transactions.<\/p>\n\n\n\n The emergence and boom of cryptocurrency allowed existing threats to evolve their techniques to target or abuse cryptocurrency tokens. The threats that currently leverage cryptocurrency include:<\/p>\n\n\n\n The increasing popularity of cryptocurrency has also led to the emergence of cryware like Mars Stealer and RedLine Stealer. These threats aim to steal cryptocurrencies through wallet data theft, clipboard manipulation, phishing and scams, or even misleading smart contracts. For example, RedLine has even been used as a component in larger threat campaigns. The graph below illustrates the increasing trend in unique cryware file encounters Microsoft Defender for Endpoint<\/a> has detected in the last year alone.<\/em><\/p>\n\n\n\nFrom cryptojackers to cryware: The growth and evolution of cryptocurrency-related malware<\/h2>\n\n\n\n