Heard of the hot new cryptocurrency SpriteCoin? No? That's because it's a fictional fairy tale cooked up by cyber-crooks as a ruse to infect wannabe miners with a particularly devilish ransomware program.
In a 22 January blog post, researchers from Fortinet's FortiGuard Labs team warn that SpriteCoin ransomware not only encrypts computers' files, but also harvests Chrome and Firefox browser credentials, stores them using an embedded SQLite engine, and then transmits them to the malicious actors' Tor website via POST requests.
Although SpriteCoin may not exist, the adversaries are certainly taking advantage of genuine digital currency to receive their ransom payments. In a somewhat unusual twist, however, the actors are demanding payment not in Bitcoin, but in Monero, a cryptocurrency gaining in popularity among cyber-criminals because its wallet addresses remain anonymous.
Even if victims pay the 0.3 Monero ransom (worth around US$90 /£63) as of 23 January), the SpriteCoin malware doesn't necessarily deliver a working the decryption key – and worse, it downloads a secondary malware program, identified as W32/Generic!tr, capable of harvesting certificates, parsing keys, and surreptitiously activating web cameras.
“This sample, while not highly sophisticated, is unique that it targets victims interested in cryptocurrency, and then providing a secondary malicious component instead of just asking for the ransom,” said Tony Giandomenico, senior security strategist and researcher with Fortinet FortiGuard Labs, in an email interview with SC Media. “Threat actors are doing their homework when targeting end users, and we can safely predict more of the same to come in the future.”
Based on unconfirmed reports, Fortinet believes the primary attack vector for SpriteCoin ransomware is online forums, using cryptocurrency-themed spam to entice viewers into downloading the malicious SpriteCoin wallet app package via a link.
“The allure of quick wealth through cryptocurrency seems to be enough to trick unsuspecting users to rush toward the wallet app du jour without consideration,” states the FortiGuard Labs blog post.
Users who download the malware receive a prompt to enter a wallet password, with the option of leaving the input field blank. Upon clicking the “Next Step” button, users next see a progress bar and a corresponding message that the package is downloading the blockchain – but in reality, the malware is actually encrypting a variety of files.
Discovered the week of 15 January and observed in the wild as spritecoind[.]exe, the SpriteCoin malware is reportedly UPX-packed for evasion purposes, and connects to the adversaries' anonymous TOR site via an Onion proxy that lets victims communicate with the dark web URL without forcing them to establish a TOR connection first.