Security of funds: viruses in search of wallet.dat

Some of the most technically advanced viruses prey on users' crypto savings.

The first malware that hunted for users’ cryptocurrencies were viruses and Trojans that stole the private key file of a wallet installed locally on the user’s device. There are always a large number of users who, for various reasons, store their funds in local wallets. At the time of the appearance of the first Trojans working according to this scheme, there were very few online wallets, so users were forced to store their cyber savings directly on their devices (computers, smartphones, tablets, etc.). And even now, when many services for online storage of funds have appeared, some users do not trust them and prefer to keep their keys.

The first Trojan, which aimed to steal the wallet.dat file containing private keys and other data about the user’s wallet, was discovered back in June 2011 by Symantec and was named Infostealer.Coinbit. When penetrating the victim's system, it detected the wallet.dat file and forwarded it to the attackers.

Initially, there was little technical information about cryptocurrencies and the security of working with local wallets, and even now many users do not want to delve into the intricacies of how this software works. Therefore, there is a category of users who do not enable the option to encrypt the key file or use very weak passwords and, thanks to this, become very easy prey for the Trojan - after all, it only needs to obtain the key file and the attacker gains full control over the user’s funds.

But users who encrypt their keys with long and complex passwords are not immune from losing their savings. Attackers do not stand still. They expand the capabilities of their creations with keyloggers, intercept the clipboard, monitor the user's mail and the sites they visit, trying by any means to intercept the password from the key file or the user's online wallet.

At the beginning of 2014, the most universal cryptocurrency thief was discovered - CryptoStealer. Its first version supported 80 cryptocurrencies. She not only knew about the structure of storing key files for each wallet, but also knew how to infiltrate running processes of cryptocurrency programs, for example bitcoin-qt.exe, to intercept key access passwords.. This malware did not arouse suspicion from antivirus software for quite a long time, either due to its extremely competent implementation in running processes, or the Internet traffic it created.

Later, in August 2017, specialists from Trend Micro reported that Cerber, one of the most widespread and serious encryption viruses at the moment, received a new round of functional development. Now, before encrypting the victim’s disk, the Trojan looks for signs of the presence of Bitcoin Core, Electrum and Multibit wallets on the device. It also tries to steal saved passwords from Internet Explorer, Google Chrome and Mozilla Firefox browsers. All stolen data is sent to the control server, and then everything that was found and associated with wallets is deleted from the victim’s device.

We have given examples of just a few of the most notable hacks that work according to the scheme of stealing user wallets. Their real number is much higher. But the complexity of such malware is also its weakness. Due to the fact that these Trojans actively interfere with the operation of the system (trying to gain access to specific files, keystrokes, transferring files over the network, etc.), they are quite often and easily detected by heuristic analyzers of anti-virus software and are quickly blocked. Therefore, security experts always recommend using modern antiviruses with the latest virus databases (the choice of a specific antivirus solution depends on the user’s operating system, as well as the user’s willingness to pay for the security of their data). We will describe our recommendations for storing and ensuring the security of crypto savings in one of our next articles.