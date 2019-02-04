Home Cities Hyderabad

New con alert! A sneaky malware seeking to mine your cryptocurrency

Recent research by Kaspersky found that a malicious program called ‘Razy’ infects browser extensions and spoofs search results with the sole aim of searching for cryptocurrency.

By Aihik Sur
Express News Service

HYDERABAD: Ever wondered why when you open your internet browser on desktop, spam advertisements that often lean towards pornography pop up?

That might be because one of your browser extensions has been infected with a malicious program looking for cryptocurrency to steal. A recent research by Kaspersky found that a malicious program called ‘Razy’ infects browser extensions and spoofs search results with the sole aim of searching for cryptocurrency. To understand this, first we have to realise how cryptocurrency can be stolen in the first place. According to one Manoharan Ramachandra, a research candidate working at the Bourenmouth University, the chances depend on how and where one kept it. “Cryptocurrencies are values that are stored in blockchain under different addresses. One can exchange these values between different addresses using the private key of each address,” Ramachandra says.

“If an address and private key are stored somewhere, it is called a wallet. If you have a private wallet where you can control your private key, then you are solely responsible for your cryptos. If you lose your private key, you will lose your money forever,” he adds. Over here, the malicious program searches for cryptocurrency wallets on websites and replaces them with the threat actor’s wallet addresses. As of now, researchers have found that the malicious program Trojan.Win32.Razy.gen “works” on Google Chrome, Mozilla Firefox and Yandex browser.

In Firefox, Razy installs an extension called ‘Firefox Protection’. In Yandex, it edits a file to disable the security check of the browser and creates a registry key to disable browser updates. Thereafter, it installs a malicious extension called Yandex Protect. Similarly, in Google Chrome, it edits files, disables security check and infects the existing extension.

“Main.js (a script in the Razy program) also spoofs Google and Yandex search results. Fake search results are added to pages if the search request is connected with cryptocurrencies and cryptocurrency exchanges, or just music downloading or torrents,” it said. This is the way that users are enticed to visit infected websites or legitimate websites laced with scam/fake messages which would usually describe the user about “new features”.

A rather dangerous ‘good deal’

According to the Kaspersky report, Razy’s scripts display fake messages to the user about “new features” in the (cryptocurrency) exchanges and offers to sell cryptocurrency at above market rates. In other words, users are persuaded to transfer their money to the cybercriminal’s wallet under the pretext of a good deal.

TAGS
cryptocurrency malware Kaspersky

