A new malware called CoinLurker is targeting cryptocurrency users through deceptive software update notifications, security researchers revealed Monday. The sophisticated malware uses advanced techniques to steal cryptocurrency wallet data while avoiding detection.
The attackers deploy fake update alerts through multiple channels, including compromised WordPress sites, malicious ads, phishing emails, and fake CAPTCHA prompts. These alerts leverage Microsoft Edge Webview2 technology to execute the malicious payload.
"Webview2's dependency on pre-installed components and user interaction makes it difficult for security systems to detect the threat during analysis," explained Morphisec researcher Nadav Lorber.
The malware authors use an innovative technique called EtherHiding, where compromised websites connect to Web3 infrastructure to download the final payload. The malicious files are disguised as legitimate updates like "UpdateMe.exe" or "SecurityPatch.exe" and are signed with stolen Extended Validation certificates to appear trustworthy.
Once activated, CoinLurker targets cryptocurrency wallets including Bitcoin, Ethereum, Ledger Live, and Exodus. It also harvests data from popular applications like Telegram, Discord, and FileZilla. The malware employs sophisticated obfuscation methods to hide its activities and avoid detection by security tools.
Written in the Go programming language, CoinLurker uses multiple layers of deception, including:
- Runtime memory decoding of payloads
- Complex execution paths with conditional checks
- Redundant resource assignments
- Memory manipulation techniques
The malware establishes communication with remote servers using socket connections to transmit stolen data. Its ability to target both mainstream and lesser-known cryptocurrency wallets demonstrates its versatility as a threat to digital asset holders.
Security experts advise users to be cautious of unexpected update prompts and to verify software updates only through official channels and legitimate application interfaces.