162. That's How Threat Actors Steal Cryptocurrency Wallet Credentials and Seed Phrases

Hello everyone!

Adversaries may have various motivations to conduct cyber attacks. But most of them are interested in getting some money. At least at some point!

Kaspersky released a report on an activity cluster we track as Rare Werewolf (or Librarian Ghouls as they call it). You can find lots of curious things to detect and hunt in the report, but let's focus on collecting cryptocurrency wallet credentials and seed phrases:

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*парол*.* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*карт*.* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*кошельк*.* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\wallet.dat /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.doc* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.txt /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*seed*.* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\keystore.json /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*bitcoin*.* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*usdt*.* /y

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*ethereum*.* /y

As you can see, the adversary collects any files with related keywords and adds them to an archive. We can use the same logic to build a query:

event_type: "processcreatewin"

AND

cmdline: ("парол" OR "карт" OR "кошельк" OR "wallet" OR "seed" OR "keystore" OR "bitcoin" OR "usdt" OR "ethereum")

See you tomorrow!