Sophisticated Malware Campaign Exploits Multi-Stage Loaders to Hijack Cryptocurrency Transactions
A sophisticated malware campaign has been identified, targeting cryptocurrency users worldwide through a complex, multi-stage infection process. This operation employs a loader known as CountLoader, which sequentially utilizes JavaScript, PowerShell, and shellcode to deploy a crypto clipper—a malicious program designed to intercept and redirect cryptocurrency transactions.
Infection Mechanism
The attack initiates with the execution of a malicious executable (EXE) file that triggers a PowerShell command. This command downloads an obfuscated JavaScript loader and executes it via `mshta.exe`, a legitimate Windows utility often exploited by attackers due to its trusted status within the operating system. This method allows the malware to operate discreetly, blending into normal system activities and evading initial detection.
Once the JavaScript loader is active, it establishes persistence by creating a scheduled task that runs every 30 minutes. This ensures the malware remains operational even after system reboots. The loader then decodes a Base64-encoded payload and executes it using the `Invoke-Expression` cmdlet, a technique commonly used to run hidden code without writing it to disk.
Subsequently, CountLoader takes control as an HTML Application (HTA) file loaded through `mshta.exe`. It conceals its window, attempts to delete its own file if executed locally, and cycles through command-and-control (C2) servers until it establishes a connection. Upon successful connection, it performs an encrypted handshake, retrieves a JSON Web Token (JWT), and transmits details about the infected host, including any installed cryptocurrency wallets or browser extensions.
The final stages involve a PowerShell packer that decrypts and launches a shellcode injector. Before injection, the script disables the Antimalware Scan Interface (AMSI), a Windows feature designed to detect malicious scripts, using a known public bypass method. The shellcode then loads the final payload directly into memory under `systeminfo.exe`, avoiding disk writes and thereby reducing the likelihood of detection by security tools.
Scope and Impact
Analysts at McAfee Labs have reported that this campaign has infected approximately 86,000 unique machines globally. On average, around 5,000 infected systems connect to the C2 infrastructure every minute. The highest infection rates have been observed in India, followed by Indonesia and the United States, with significant activity across Southeast Asia.
In addition to internet-based propagation, the malware also spreads through USB drives. When instructed by its C2 server, CountLoader replaces files on connected external drives with LNK shortcut files. Opening one of these shortcuts silently executes the malware while also opening the original file, making the activity appear normal to the user. Approximately 9,000 infections have been traced back to this USB-based method.
Final Payload: Crypto Clipper
The ultimate objective of this campaign is to deploy a cryptocurrency clipper. Once loaded into memory, the clipper monitors the clipboard in the background. When a user copies a cryptocurrency wallet address, the clipper replaces it with an address controlled by the attacker, effectively rerouting funds without any visible warning to the victim.
Technical Analysis
The infection chain is meticulously designed to evade detection at every stage. After the initial EXE runs, a scheduled task fires every 30 minutes to maintain persistence from the very first step. The PowerShell script then decodes a Base64 payload and runs it using `Invoke-Expression`, a common technique for executing hidden code without writing anything to disk.
CountLoader then takes control as an HTA file loaded through `mshta.exe`. It hides its window, attempts to erase its own file if run locally, and cycles through command servers until one responds. Once connected, it performs an encrypted handshake, grabs a JWT token, and sends back details about the infected host, including any installed cryptocurrency wallets or browser extensions.
The next stages involve a PowerShell packer that decrypts and launches a shellcode injector. Before injecting, the script disables AMSI, a Windows feature designed to catch malicious scripts, using a known public bypass. The shellcode then loads the final payload directly into memory under `systeminfo.exe`, never touching the disk, making it significantly harder for security tools to detect.
Mitigation and Recommendations
To protect against such sophisticated malware campaigns, users and organizations should implement the following measures:
1. Regular Software Updates: Ensure that all operating systems and software applications are up to date with the latest security patches.
2. Antivirus and Anti-Malware Solutions: Deploy reputable security software that can detect and prevent malware infections.
3. User Education: Educate users about the risks of downloading and executing files from untrusted sources, including email attachments and USB drives.
4. Disable AutoRun for Removable Media: Configure systems to prevent the automatic execution of files on removable media to reduce the risk of USB-based infections.
5. Monitor System Activity: Regularly review system logs and network traffic for signs of unusual activity that may indicate a malware infection.
By implementing these measures, individuals and organizations can enhance their defenses against complex malware campaigns designed to hijack cryptocurrency transactions.
