Everyone’s heard of ransomware, and many people have heard of ‘cryptojackers’, banking trojans, and ‘info stealers’. Now, Microsoft is introducing ‘cryware’ into the cybersecurity lexicon, predicting more people will start using so-called ‘hot wallets’ as they boost cryptocurrency holdings – and that crooks will try to grab them.
Microsoft says it created the term to describe an emerging category of malware spawned by the growing (but volatile) market capitalization of digital assets, aka cryptocurrency, which peaked at almost $3 trillion in 2021.
Cryware is a type of info-stealer malware that targets online passwords stored in a browser but also seeks to harvest private keys from internet-connected cryptocurrency ‘hot wallets’ stored on a device (versus cold wallets that hold cryptocurrencies offline).
“Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them,” Microsoft explains in a blogpost.
It’s true that for the past few years, malware traditionally capable of stealing browser passwords and other information have been tweaked to steal info from cryptocurrency wallets, such as Azorult did in 2019. Azorult, clipboard hijacker ClipBanker, Mars Stealer, Redline, and Raccoon are among Microsoft’s list of growing cryware threats.
But Microsoft says cryware reflects a change in how attackers use cryptocurrencies in attacks. Ransomware, for example, uses it as a method of payment that the victim manually transfers, while cryptojackers install miners on target devices. Cryware on the other hand targets a crypto wallet to swiftly and irreversibly transfer cryptocurrencies into their own wallets.
“Unlike credit cards and other financial transactions, there are currently no available mechanisms that could help reverse fraudulent cryptocurrency transactions or protect users from such,” Microsoft explains of its appeal.
It’s also found ransomware using cryware to steal cryptocurrency funds from a targeted device.
Microsoft expects more companies to have hot wallets installed on enterprise networks in future as they move part of their assets to cryptocurrency, though few knowingly have them on networks today.
Tesla CEO Elon Musk, a fan of cryptocurrencies, announced last week via Twitter that Tesla had suspended accepting Bitcoin for vehicle purchases due to the environmental cost of Bitcoin mining.
Microsoft’s advice centers details the process of creating a hot wallet and the point of a private key, a seed phrase, a public key, and a wallet password.
Cryware can steal wallet information, such as private keys or the seed phrase, from the user’s clipboard by searching for patterns that look like a hot wallet address. The malware could use memory dumping to capture private keys in plaintext from a browser process. Then there’s key logging, phishing and fake hot wallet apps.
Another way is for the malware to steal a wallet application’s storage files.
“Mars Stealer is a notable cryware that steals data from web wallets, desktop wallets, password managers, and browser files. The snippet below was taken from a section of Mars Stealer code aimed to locate wallets installed on a system and steal their sensitive files,” says Microsoft.
Whether you agree with Microsoft’s use of the term cryware, the company’s researchers do have some useful advice for protecting hot wallets:
- Lock hot wallets when not actively trading.
- Disconnect sites connected to the wallet.
- Refrain from storing private keys in plaintext.
- Be attentive when copying and pasting information.
- Ensure that browser sessions are terminated after every transaction.
- Consider using wallets that implement multi-factor authentication.
- Be wary of links to wallet websites and applications.
- Double-check hot wallet transactions and approvals.
- Never share private keys or seed phrases.
- Use a hardware wallet unless it needs to be actively connected to a device. Hardware wallets store private keys offline.
- Reveal file extensions of downloaded and saved files. On Windows, turn on File Name Extensions under View on file explorer to see the actual extensions of the files on a device.