Beware: Fake TradingView AI Agent Site Distributes Needle Stealer Malware
A recent cybersecurity threat has emerged, targeting traders and investors by impersonating the reputable financial platform TradingView. Cybercriminals have established a counterfeit website promoting TradingClaw, an alleged AI-powered trading assistant. Unsuspecting users who download and execute this tool inadvertently install Needle Stealer, a sophisticated malware designed to covertly extract sensitive information from their devices.
The Deceptive Strategy
TradingView is a trusted resource among retail traders, analysts, and investors for charting and market analysis. Exploiting this trust, attackers have created a fraudulent site at tradingclaw[.]pro, which closely resembles legitimate AI trading products. This site is entirely unrelated to the genuine startup tradingclaw[.]chat. By presenting a seemingly credible tool, the attackers capitalize on the growing interest in AI-driven trading applications.
Discovery and Analysis
Researchers at Malwarebytes identified this campaign during routine threat hunting. They linked it to a previously documented malware loader, now repurposed to deliver Needle Stealer as the final payload. This modular approach allows the operation to scale efficiently and complicates attribution, as defenders may recognize the loader but overlook the new payload concealed within.
The Threat of Needle Stealer
Needle Stealer is engineered to extract browser cookies, saved passwords, login sessions, and cryptocurrency wallet credentials from infected systems. It also installs malicious browser extensions, granting attackers persistent control over the victim’s browser. The financial repercussions can be severe, as the malware is specifically designed to drain crypto wallets and monitor account activity across various platforms.
Evasion Techniques
The counterfeit TradingClaw site employs filtering methods to evade detection. When accessed by search engines or security scanners, the site redirects to an unrelated, benign website. Only specific visitors, likely those matching the profile of a real target, are exposed to the malicious content. This selective behavior helps the campaign remain active longer by avoiding automated security tools.
Infection Mechanism
Upon deciding to proceed on the fake TradingClaw site, users are prompted to download a ZIP file containing the initial stage of the infection chain. This stage utilizes DLL hijacking, where malware masquerades as a legitimate library file that a trusted Windows program is expected to load automatically. When the trusted program runs, it loads the fake library instead of the real one, executing the malicious code without the user noticing anything unusual.
In this campaign, the trusted Windows process exploited is RegAsm.exe, a legitimate .NET component used for registering assemblies. The first-stage executable runs, loads a second-stage DLL, and that DLL uses a technique called process hollowing to inject Needle Stealer directly into the RegAsm.exe process.
Protective Measures
To safeguard against such threats, users should:
– Verify Sources: Always download software from official websites or trusted sources.
– Exercise Caution: Be wary of unsolicited offers, especially those promising high returns or advanced tools.
– Maintain Security Software: Keep antivirus and anti-malware programs updated to detect and prevent infections.
– Regular Updates: Ensure operating systems and applications are up-to-date to patch vulnerabilities.
– Educate Yourself: Stay informed about common phishing tactics and malware distribution methods.
By remaining vigilant and adopting these practices, users can significantly reduce the risk of falling victim to such deceptive campaigns.
