[PSA]: New PS1Bot malware target a lot of cryptocurrency wallets

[Dave1]

Cyber security researchers have unraveled a new malware framework known as PS1Bot.

What's dangerous about it is that it is a multi-stage malware, and it's capability for information theft, keylogging, reconnaissance, and the establishment of persistent system access.

The point of delivery of this malware is thru a malvertising or search engine optimization (SEO) poisoning in a zip file. Once you download this zip and extract, it contains a Javascript payload. This payload is going to get a script from another server and then write to a file on your local machine and execute it.

Following successful collection of screenshots on infected systems, we have observed the delivery of an additional PowerShell module that the attacker refers to as the “grabber module” that is used to steal sensitive data from infected systems. It is designed to target the following types of data that are then exfiltrated to the C2 server:

    - Local browser storage (stored credentials, cookies, etc.)
    - Browser extension data for cryptocurrency-related extensions like wallets
    - Local application data for cryptocurrency wallet applications
    - Files containing passwords, sensitive strings or wallet seed phrases

It also has the capability to checks for the installation of the following Chromium extensions, most of which are associated with cryptocurrency wallets and multi-factor authentication (MFA) authenticators:



This is another malware that has a tremendous effect if we get our machines infected with it. So just be careful again on zip files that you download and unzipping it in your laptop or PC.

https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

[Patikno]

Based on the sources you provided, the malware is very dangerous, because it can keylog its victims which can monitor keyboard and mouse activity, it can also steal several extensions installed on several web browsers, such as; Google Chrome, Opera, Edge, Brave, and many more, which aims to obtain information about browser data, extensions, and cryptocurrency wallet applications, and even try to steal files that may contain passwords. Actually, there are so many more things that malware can do, but some of the things I mentioned are for the purpose of informing us all about the dangers that we might get, because some of these things are closely related to what we use.

Therefore, I hope we all remain vigilant and secured, always checking everything we download, install, or extract on our computers, as it could be infected. Activate our antivirus, perform frequent scans (especially deep scans), and diligently update your software. So, I hope these steps can help keep us safe.

However, I am curious about the source, why is there no mention of the Firefox/Mozilla browser?

[cryptomaniac_xxx]

However, I am curious about the source, why is there no mention of the Firefox/Mozilla browser?

Maybe the cyber criminals might have forgotten about the Firefox/Mozilla browser that's why it is not included in their target although as you have said, majority of the Chrome browser and Chromium based have been the target already.

Not sure how many of us are still using Firefox up to this point, but I will speculate that the criminals again might also saying that it is less used Browser right now. Does it mean that we should Firefox? Well I don't know and if depends on our usage.

Or maybe they will also evolved this malware to include all browsers in a later iteration.

[IIrik11]

will antivirus like microsoft defender won't pick it up inside the zip file?

[Mitchell]

I can't believe that there are still people that would run a file called "FULL DOCUMENT.js" from a ZIP they extracted.

[Lucius]

~snip~
Not sure how many of us are still using Firefox up to this point, but I will speculate that the criminals again might also saying that it is less used Browser right now. Does it mean that we should Firefox? Well I don't know and if depends on our usage.

It doesn't have much to do with what browser someone uses, but rather how naive you have to be to even download such a file, unzip it, and run it. Only someone who does not know the basics of using a computer and the internet can do something like that.

will antivirus like microsoft defender won't pick it up inside the zip file?

I don't know about that specific AV, but any good antivirus will scan every file you download and delete/move it to quarantine if it finds it dangerous. Just don't download anything you're not sure is legitimate and you have no reason to worry about.

[ThemePen]

It means PS1Bot is new type of harmful software that spreads through fake ads and search results usually hidden inside zip file. Once we open zip hidden script runs and lets malware take over your computer and this is very dangerous.  Malware can even check for specific web browser add ons related to crypto and security. Because of this it is very important to be careful and not open zip files from sources you do not trust. And this case is showing that scammers are just getting smart and inventing new things to scam day by day.

[DYING_S0UL]

I can't believe that there are still people that would run a file called "FULL DOCUMENT.js" from a ZIP they extracted.

In windows 11 there is this option that lets the user hide the common file type extensions. This can be used to trick users. For example, when this option is enabled, renaming a file to "documents.pdf" doesn't change its actual extension. When we disable it we'll see the full file named as "documents.pdf.js". So anyone unaware would  think it's a pdf file and safe to open.

I wasn't aware of this before, but I recently found out. I had a fresh windows installasion and it was enabled there by default. Pretty concerning IMO.

will antivirus like microsoft defender won't pick it up inside the zip file?

I don't know about that specific AV, but any good antivirus will scan every file you download and delete/move it to quarantine if it finds it dangerous. Just don't download anything you're not sure is legitimate and you have no reason to worry about.

It's supposed to, afaik. Not just with a good antivirus software but windows defenders picks up a lot of these trashes. I have noticed on multiple occasions that when downloading stufff from the net, the moment download finishes, they are quarantined and a "virus found" message pops up.

[qwertyup23]

I can't believe that there are still people that would run a file called "FULL DOCUMENT.js" from a ZIP they extracted.

What's more surprising is that there will be a lot of people that will be a victim to this kind of scheme. Even the decades-old trick of clicking + downloading random links from the internet would most likely infect and victimize thousands of people in the process.

It means PS1Bot is new type of harmful software that spreads through fake ads and search results usually hidden inside zip file. Once we open zip hidden script runs and lets malware take over your computer and this is very dangerous.  Malware can even check for specific web browser add ons related to crypto and security. Because of this it is very important to be careful and not open zip files from sources you do not trust. And this case is showing that scammers are just getting smart and inventing new things to scam day by day.

At this point, I could not help but to stress enough the importance of being vigilant and responsible at the same time. To all newbies reading this comment, never EVER click and download random stuff on the internet especially if you have BTCs stored in your wallet. Additionally, ignore most of your messages that is related to cryptocurrencies (e.g. offering to help, etc.).

[lovesmayfamilis]

Perhaps it is worth simply abandoning Windows, since many attacks are made specifically on this system. Firefox has an open-source code, and perhaps this is one of the reasons why PS1Bot was not written for this browser. Although today Linux systems are also becoming unsafe for users, the frequency of news reports about this or that software stealing information from users is still much less. Of course, this is not a panacea, but if you use Linux correctly, then it seems that this system is more reliable.

[Aanuoluwatofunmi]

As long as not everyone will be aware of this information in other for them to take heed over the browser they use, this malware attack may still extend further more with time, because they targeted the wallet from users and this can only be prevented when we have come to the full realization of the danger they give base on the route they take unleashing their attack, more care is needed on this regard and we also need to inform on others about this attack.

[Davidvictorson]

Malware will continue to be on the rise. It's is a fact. We can't do anything about it but what we can do is to continue to inform others about how to protect themselves and their crypto assets online.
The most common tips for staying protected are
- Download only from official sites
- Always double and if possible, triple check wallet addresses before you send
- Stick with only reliable antivirus software
- Review your browser extensions and apps before installation

[DYING_S0UL]

Malware will continue to be on the rise. It's is a fact. We can't do anything about it but what we can do is to continue to inform others about how to protect themselves and their crypto assets online.
The most common tips for staying protected are
- Download only from official sites
- Always double and if possible, triple check wallet addresses before you send
- Stick with only reliable antivirus software
- Review your browser extensions and apps before installation

As far as I understand, these malwares cannot spread themselves on their own just by being downloaded. The user has to run the executable file first, only then these malwares can execute the rest of the scripts and so on. I have read the article OP provided and found that this powershell based malware aka ps1 needs to be run by the victim in order to gain control. So even if one unknowingly downloads something off the internet they should at least verify the authenticity of the files first. We shouldn't just run the Exe file or any other format file we are unsure of. For me I always run a quick scan through VirusTotal site if I suspect some files/links to be harmful. There is harm in staying vigilant.

[joniboini]

In windows 11 there is this option that lets the user hide the common file type extensions. This can be used to trick users. For example, when this option is enabled, renaming a file to "documents.pdf" doesn't change its actual extension. When we disable it we'll see the full file named as "documents.pdf.js". So anyone unaware would  think it's a pdf file and safe to open.

I'm surprised this isn't well-known in general. I'm sure showing file extension is one of the things I do when I install a new OS for years now. I can't remember when I did and what articles/sources tell me to do it, but it isn't uncommon to hear that if you're interested in computers or security in general. But yeah, if we're talking about the average jow, I guess it isn't surprising. Even some people around my age don't know that auto-run is dangerous, hence why their devices get infected through USB devices quite easily.

[Lucius]

In windows 11 there is this option that lets the user hide the common file type extensions. This can be used to trick users. For example, when this option is enabled, renaming a file to "documents.pdf" doesn't change its actual extension. When we disable it we'll see the full file named as "documents.pdf.js". So anyone unaware would  think it's a pdf file and safe to open.
~snip~

You're wrong if you think PDF is safe, take a look online and you'll see that it's possible to embed something malicious in such a file that will run when the user opens the file. Practically everything you download from the internet is potentially dangerous and nowadays targets cryptocurrencies.

[DYING_S0UL]

I'm surprised this isn't well-known in general. I'm sure showing file extension is one of the things I do when I install a new OS for years now. I can't remember when I did and what articles/sources tell me to do it, but it isn't uncommon to hear that if you're interested in computers or security in general. But yeah, if we're talking about the average jow, I guess it isn't surprising. Even some people around my age don't know that auto-run is dangerous, hence why their devices get infected through USB devices quite easily.

I didn't knew about this either. I was trying to test out a tool, "Bitcointalk Image Uploader" where I needed to create some text file, fill it with some codes in it, then change the file extensions to .js and .json. I did that, but got errors. Later some users pointed out, I was only renaming the file file as the extension was hidden. This is how I realised about this trick that hides the real file types.

You're wrong if you think PDF is safe, take a look online and you'll see that it's possible to embed something malicious in such a file that will run when the user opens the file. Practically everything you download from the internet is potentially dangerous and nowadays targets cryptocurrencies.

I know, I have seen it too. I just said it as a general view. I have also seen how things can be hidden inside images and videos. I guess nothing is safe anymore these days!

[avp2306]

I can't believe that there are still people that would run a file called "FULL DOCUMENT.js" from a ZIP they extracted.

Well for numbers of warning regarding on those malware exist online unfortunately there are still people would fall for this especially for those people which is new on the scene. They are prone to download these things especially if they didn't verify those files or documents they try to download.

Maybe its better to anyone to ask first the community or somehow have experience they know so that they would get proper guidance towards what they are trying to do.

Since if they just rush everything and download without doing any verification then provably that they would suffer from possible effects of those malwares.

[Alone055]

I can't believe that there are still people that would run a file called "FULL DOCUMENT.js" from a ZIP they extracted.

Such people are like:



And this is not all, some people would even open a file named "This File Might Infect Your PC" because they want to check out what it does, or maybe they just can't read or comprehend. The reason that ignorant people will always exist in the world is why scammers will never go out of business, because no matter what, they will always have at least a few victims who will download and run their malware and allow them to gain access to everything they have, and such people will always have some important stuff logged in on their devices because they know nothing about security.

People who are self-aware and know about these things will never download and run useless stuff on devices where they know they have important accounts, especially the ones that they use to manage their finances.

[NotATether]

How did I know that this would be a Powershell malware  

Anyways, there is one easy method to mitigate this. Powershell scripts run in "Restricted mode" by default. That means you can't just unzip any ZIP file containing a some powershell script and run it if it is not signed. Not even on your local device.

This method is the default, so if you don't use Powershell, it is good to make sure that Restricted mode has been enabled not only in your session but across the entire computer.

This kind of malware targets developers because they turn off this mode in order to run Powershell scripts that dev tools use in their own setup scripts.

Of course this doesn't work if they just buy the certificates, but then it will just be revoked.

[Porfirii]

-snip-

This kind of malware targets developers because they turn off this mode in order to run Powershell scripts that dev tools use in their own setup scripts.

Of course this doesn't work if they just buy the certificates, but then it will just be revoked.

Developers should have the knowledge to avoid the risks these malwares pose, and they should make a number of mistakes if it works as you said: first of all, they shouldn't keep crypto in a device they'll use for different purpose online; they shouldn't download files from dubious sources; if AVs are able to detect it after scanning the downloaded file, they should perform a scan by default; they should use safer OSs and browsers...