Atlantida Malware - a new crypto info stealer in the wild

[Jating]

There is a new info stealer in the wild called Atlantida. And what it does is to trick users to download malware laden files from compromised site. The first attack vector is to let unsuspecting victims to download a .hta file from a compromised website. And this is due to the fact that there are vulnerabilities in MSHTML Platform Spoofing Vulnerability, known as CVE-2024-38112



And part of it's info stealing capability is to look for the following in their victims machine,

One of the notable functions of Atlantida stealer is its ability to steal data from Chrome-based browser extensions. For each Chrome-based extension, an “Extension ID” is given. The malware uses this information to harvest data stored within. Atlantida harvests data from the following cryptocurrency wallets extensions:

https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/
And with that, it's really very important that if we are a crypto enthusiast, we should all be aware on how to protect our mobile phone, laptop and desktop and practice safety hygiene.

We really can't stress that enough as we are about to hit a bull run and so cyber criminals are also ramping their attacks.

[NotATether]

Another Windows vulnerability.

I can't say I'm surprised.

Windows has all sorts of obsolete items that are buried inside their codebase in all versions, even newer versions, making them 1000x more vulnerable than Macs and Linux computers.

And Microsoft doesn't seem to care unless you are an enterprise customer. It's always "backward compatibility" and not ripping the stuff out like Apple or Linux devs would do.

.MHTML is an obsolete format, it should've been buried 10 years ago when JS frameworks became popular.

[HeRetiK]

The first attack vector is to let unsuspecting victims to download a .hta file from a compromised website. And this is due to the fact that there are vulnerabilities in MSHTML Platform Spoofing Vulnerability, known as CVE-2024-38112

Oof. At first I thought "Well, who uses Internet Explorer nowadays anyway" but then I stumbled across this nugget:

The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer.

Only upside is that at least it appears to require some user interaction (i.e. executing the .hta file) for the exploit to be run.

And Microsoft doesn't seem to care unless you are an enterprise customer.

Bold of you to assume that Microsoft cares about its enterprise customers

[dkbit98]

Another .exe file wind0ws malware, and I see they are using crap closed source wallets like atomic, guarda and exodus to steal crypto.
Simple solution is to make a switch to good linux OS and most of the malware problems will be gone forever.