blog.morphisec.com Open in urlscan Pro
2606:2c40::c73c:67e1  Public Scan

URL: https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates
Submission Tags: falconsandbox
Submission: On December 17 via api from US — Scanned from US

Form analysis 4 forms found in the DOM

/hs-search-results

<form action="/hs-search-results" data-hs-cf-bound="true" data-cb-wrapper="true">
  <input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>

/hs-search-results

<form action="/hs-search-results" data-hs-cf-bound="true" data-cb-wrapper="true">
  <input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>

POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7

<form id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
  action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7"
  class="hs-form-private hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_f489c7c3-3acb-4eca-9943-b5b6ff5b03a7 hs-form stacked hs-custom-form"
  target="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" data-instance-id="f489c7c3-3acb-4eca-9943-b5b6ff5b03a7" data-form-id="37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" data-portal-id="1534169"
  data-test-id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" data-hs-cf-bound="true" data-cb-wrapper="true">
  <div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field smart-field"><label id="label-firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your "
      for="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
    <legend class="hs-field-desc" style="display: none;"></legend>
    <div class="input"><input id="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="firstname" required="" placeholder="First Name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
  </div>
  <div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field smart-field"><label id="label-lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your "
      for="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
    <legend class="hs-field-desc" style="display: none;"></legend>
    <div class="input"><input id="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="lastname" required="" placeholder="Last Name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
  </div>
  <div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your " for="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
    <legend class="hs-field-desc" style="display: none;"></legend>
    <div class="input"><input id="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
  </div>
  <div class="hs_company hs-company hs-fieldtype-text field hs-form-field smart-field"><label id="label-company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your "
      for="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
    <legend class="hs-field-desc" style="display: none;"></legend>
    <div class="input"><input id="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="company" required="" placeholder="Company*" type="text" class="hs-input" inputmode="text" autocomplete="organization" value=""></div>
  </div>
  <div class="hs_recaptcha hs-recaptcha field hs-form-field">
    <div class="input">
      <div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
        <div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-7z8begx4uvq" frameborder="0" scrolling="no"
            sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
            src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&amp;k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&amp;co=aHR0cHM6Ly9ibG9nLm1vcnBoaXNlYy5jb206NDQz&amp;hl=en&amp;v=zIriijn3uj5Vpknvt_LnfNbF&amp;size=invisible&amp;badge=inline&amp;cb=3os50yd7cflv"></iframe>
        </div>
        <div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
          style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
      </div><iframe style="display: none;"></iframe>
    </div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="">
  </div>
  <div class="hs_submit hs-submit">
    <div class="hs-field-desc" style="display: none;"></div>
    <div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
  </div><input name="hs_context" type="hidden"
    value="{&quot;embedAtTimestamp&quot;:&quot;1734432526134&quot;,&quot;formDefinitionUpdatedAt&quot;:&quot;1729278041068&quot;,&quot;lang&quot;:&quot;en&quot;,&quot;isLegacyThemeAllowed&quot;:&quot;true&quot;,&quot;userAgent&quot;:&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36&quot;,&quot;pageTitle&quot;:&quot;CoinLurker: The Stealer Powering the Next Generation of Fake Updates&quot;,&quot;pageUrl&quot;:&quot;https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates&quot;,&quot;pageId&quot;:&quot;183781340986&quot;,&quot;isHubSpotCmsGeneratedPage&quot;:true,&quot;canonicalUrl&quot;:&quot;https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates&quot;,&quot;contentType&quot;:&quot;blog-post&quot;,&quot;hutk&quot;:&quot;9044de6007d5c10c969678d42327e96e&quot;,&quot;__hsfp&quot;:1372317473,&quot;__hssc&quot;:&quot;182053752.1.1734432526869&quot;,&quot;__hstc&quot;:&quot;182053752.9044de6007d5c10c969678d42327e96e.1734432526869.1734432526869.1734432526869.1&quot;,&quot;formTarget&quot;:&quot;#hs_form_target_module_1541132004988163&quot;,&quot;formInstanceId&quot;:&quot;5132&quot;,&quot;rawInlineMessage&quot;:&quot;Thanks for submitting the form.&quot;,&quot;hsFormKey&quot;:&quot;a1be56ce3431d0467c3d7051910c77fd&quot;,&quot;pageName&quot;:&quot;CoinLurker: The Stealer Powering the Next Generation of Fake Updates&quot;,&quot;rumScriptExecuteTime&quot;:430.9000015258789,&quot;rumTotalRequestTime&quot;:608.6000003814697,&quot;rumTotalRenderTime&quot;:771.9000015258789,&quot;rumServiceResponseTime&quot;:177.69999885559082,&quot;rumFormRenderTime&quot;:163.30000114440918,&quot;connectionType&quot;:&quot;4g&quot;,&quot;firstContentfulPaint&quot;:0,&quot;largestContentfulPaint&quot;:0,&quot;locale&quot;:&quot;en&quot;,&quot;timestamp&quot;:1734432527228,&quot;originalEmbedContext&quot;:{&quot;portalId&quot;:&quot;1534169&quot;,&quot;formId&quot;:&quot;37b11fda-a2aa-4805-9c0e-bae8eaccd6b7&quot;,&quot;region&quot;:&quot;na1&quot;,&quot;target&quot;:&quot;#hs_form_target_module_1541132004988163&quot;,&quot;isBuilder&quot;:false,&quot;isTestPage&quot;:false,&quot;isPreview&quot;:false,&quot;formInstanceId&quot;:&quot;5132&quot;,&quot;formsBaseUrl&quot;:&quot;/_hcms/forms&quot;,&quot;css&quot;:&quot;&quot;,&quot;inlineMessage&quot;:&quot;Thanks for submitting the form.&quot;,&quot;isMobileResponsive&quot;:true,&quot;rawInlineMessage&quot;:&quot;Thanks for submitting the form.&quot;,&quot;hsFormKey&quot;:&quot;a1be56ce3431d0467c3d7051910c77fd&quot;,&quot;pageName&quot;:&quot;CoinLurker: The Stealer Powering the Next Generation of Fake Updates&quot;,&quot;pageId&quot;:&quot;183781340986&quot;,&quot;contentType&quot;:&quot;blog-post&quot;,&quot;formData&quot;:{&quot;cssClass&quot;:&quot;hs-form stacked hs-custom-form&quot;},&quot;isCMSModuleEmbed&quot;:true},&quot;correlationId&quot;:&quot;f489c7c3-3acb-4eca-9943-b5b6ff5b03a7&quot;,&quot;renderedFieldsIds&quot;:[&quot;firstname&quot;,&quot;lastname&quot;,&quot;email&quot;,&quot;company&quot;],&quot;captchaStatus&quot;:&quot;LOADED&quot;,&quot;emailResubscribeStatus&quot;:&quot;NOT_APPLICABLE&quot;,&quot;isInsideCrossOriginFrame&quot;:false,&quot;source&quot;:&quot;forms-embed-1.6926&quot;,&quot;sourceName&quot;:&quot;forms-embed&quot;,&quot;sourceVersion&quot;:&quot;1.6926&quot;,&quot;sourceVersionMajor&quot;:&quot;1&quot;,&quot;sourceVersionMinor&quot;:&quot;6926&quot;,&quot;allPageIds&quot;:{&quot;embedContextPageId&quot;:&quot;183781340986&quot;,&quot;analyticsPageId&quot;:&quot;183781340986&quot;,&quot;contentPageId&quot;:183781340986,&quot;contentAnalyticsPageId&quot;:&quot;183781340986&quot;},&quot;_debug_embedLogLines&quot;:[{&quot;clientTimestamp&quot;:1734432526201,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved customer callbacks used on embed context: [\&quot;getExtraMetaDataBeforeSubmit\&quot;]&quot;},{&quot;clientTimestamp&quot;:1734432526201,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved pageContext values which may be overriden by the embed context: {\&quot;pageTitle\&quot;:\&quot;CoinLurker: The Stealer Powering the Next Generation of Fake Updates\&quot;,\&quot;pageUrl\&quot;:\&quot;https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\&quot;,\&quot;userAgent\&quot;:\&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\&quot;,\&quot;pageId\&quot;:\&quot;183781340986\&quot;,\&quot;contentAnalyticsPageId\&quot;:\&quot;183781340986\&quot;,\&quot;contentPageId\&quot;:183781340986,\&quot;isHubSpotCmsGeneratedPage\&quot;:true}&quot;},{&quot;clientTimestamp&quot;:1734432526203,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved countryCode property from normalized embed definition response: \&quot;US\&quot;&quot;},{&quot;clientTimestamp&quot;:1734432526880,&quot;level&quot;:&quot;INFO&quot;,&quot;message&quot;:&quot;Retrieved analytics values from API response which may be overriden by the embed context: {\&quot;hutk\&quot;:\&quot;9044de6007d5c10c969678d42327e96e\&quot;,\&quot;canonicalUrl\&quot;:\&quot;https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\&quot;,\&quot;contentType\&quot;:\&quot;blog-post\&quot;,\&quot;pageId\&quot;:\&quot;183781340986\&quot;}&quot;}]}"><iframe
    name="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" style="display: none;"></iframe>
</form>

/hs-search-results

<form data-hs-do-not-collect="true" action="/hs-search-results" data-cb-wrapper="true">
  <input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Keyword...">
  <input type="hidden" name="type" value="SITE_PAGE">
  <input type="hidden" name="type" value="BLOG_POST">
</form>

Text Content

Recent Webinar: Building an Adaptive Cyber Resilient Cloud
Watch now

 * Support
 * Partners
 * Under Attack?

 * Products
   * Product Overview
   * Morphisec for Managed Services
   * Adaptive Exposure Management
   * Morphisec for Windows Endpoints
   * Morphisec for Windows Servers & Workloads
   * Morphisec for Linux Server Protection
   * Incident Response Services
   * About Moving Target Defense
 * Solutions
   * By Industry
     * Managed Services
     * Finance
     * Hedge Funds
     * Healthcare
     * Technology
     * Manufacturing
     * Legal
     * K-12 Education
     * SMB
   * By Use Case
     * Microsoft Defender AV
     * Microsoft Defender for Endpoint
     * Virtual Desktop Protection
     * Cloud Workload Protection
     * Remote Employee Security
     * Ransomware Prevention
     * Virtual Patching and Compliance
     * Supply Chain Attack Protection
     * Browser Attack Protection
 * Company
   * About Us
   * News & Events
   * Careers
   * Contact Us
 * Resources
   * Blog
   * Learning Center
   * Customer Stories

Read the Blog
Get A Demo
 * Products
   * Main Menu
   * Products
   * Product Overview
   * Adaptive Exposure Management
   * Morphisec for Windows Endpoints
   * Morphisec for Windows Servers & Workloads
   * Morphisec for Linux Server Protection
   * Incident Response Services
   * About Moving Target Defense
 * Solutions
   * Main Menu
   * Solutions
   * By Industry
     * Finance
     * Hedge Funds
     * Healthcare
     * Technology
     * Manufacturing
     * Legal
     * K-12 Education
     * SMB
   * By Use Case
     * Microsoft Defender AV
     * Microsoft Defender for Endpoint
     * Virtual Desktop Protection
     * Cloud Workload Protection
     * Remote Employee Security
     * Ransomware Prevention
     * Virtual Patching and Compliance
     * Supply Chain Attack Protection
     * Browser Attack Protection
 * Company
   * Main Menu
   * Company
   * About Us
   * News & Events
   * Careers
   * Contact Us
 * Resources
   * Main Menu
   * Resources
   * Learning Center
   * Customer Stories
 * Blog
 * Support
 * Partners
 * Under Attack?

 * Read the Blog
 * Get A Demo

Cybersecurity Blog

Cybersecurity News, Threat Research, and more from the Team Spearheading the
Evolution of Endpoint Security


COINLURKER: THE STEALER POWERING THE NEXT GENERATION OF FAKE UPDATES

Posted by Nadav Lorber on December 16, 2024
Find me on:
Twitter
 * 
 * Share
 * 



The evolution of fake update campaigns has advanced significantly with the
emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data
while evading detection. Written in Go, CoinLurker employs cutting-edge
obfuscation and anti-analysis techniques, making it a highly effective tool in
modern cyberattacks. 




INTRODUCTION 

Building on the deceptive strategies of SocGolish, ClearFake, ClickFix and
FakeCAPTCHA, attackers now combine highly convincing fake update prompts with
stealthy payloads like CoinLurker. These campaigns leverage innovative methods,
such as EtherHiding and in-memory execution, to bypass traditional security
defenses and obscure the malware’s origin. 

In this blog, we examine the evolution of fake update campaigns, the techniques
enabling CoinLurker’s success, and actionable strategies for defending against
this next-generation threat.  


DELIVERY TACTICS AND TECHNIQUES 

Fake update campaigns initiate infections through various deceptive entry points
that exploit user trust in common actions like: 

 * Fake Software Update Notifications

Malicious websites prompt users to download fake updates, disguised as essential
software patches. This vector is often observed on compromised WordPress sites,
where attackers exploit vulnerabilities to deliver fake update prompts. 

 * Malvertising Redirects 

Compromised ads on legitimate sites redirect users to malicious pages, prompting
fake updates or CAPTCHA verifications. 

 * Phishing Emails 

Emails link to spoofed update or CAPTCHA pages, tricking users into downloading
malware disguised as security updates. 

 * Fake CAPTCHA Prompts 

FakeCAPTCHA introduces malicious CAPTCHA prompts that deliver malware instead of
verifying users. 

 * Direct Downloads from Fake or Compromised Sites 

Malicious actors host fake updates on compromised or deceptive download sites,
luring users into installing malware. 

 * Social Media and Messaging Links 

Links shared on social platforms lead to malicious sites disguised as update or
verification pages. 

Each of these vectors effectively disguises malware as routine actions,
initiating the infection chain with minimal user suspicion. 

 


LEVERAGING MICROSOFT EDGE WEBVIEW2 AS A STAGER 

Microsoft Edge Webview2 is utilized by the stager to execute the malware,
presenting a GUI that mimics legitimate browser update tools. Any interaction
with the GUI—clicking buttons or even closing the window—triggers the payload
execution. 

Figure 1: Fake Browser Update Webview2 GUI

Figure 2: Chrome fake update Webview2 GUI

 

Webview2’s dependency on pre-installed components and user interaction
complicates dynamic and sandbox analysis. Sandboxes often lack Webview2 or fail
to replicate user actions, allowing the malware to evade automated detection. 

 

Figure 3: Screenshot of Webview2 installation within Sandbox

 


THE OBFUSCATION CHAIN: SMART CONTRACTS TO TRUSTED PLATFORMS 

Binance Smart Contract → Actor-controlled C2 → Bitbucket Repository 

Fake update campaigns like those deploying CoinLurker have adopted advanced
techniques to evade detection, including EtherHiding, which leverages Web3
infrastructure to conceal malicious payloads. This campaign employs a
multi-stage chain to deliver its payload seamlessly while remaining under the
radar. 

 1. Binance Smart Contract:
    This process begins with encoded data embedded within a Binance Smart
    Contract. By leveraging the decentralized and immutable properties of
    blockchain, attackers store payload instructions that are resistant to
    tampering or removal. 
 2. Actor-controlled Command-and-Control (C2) Server:
    The encoded data directs the malware to an actor-controlled C2 server, which
    serves as a pivot point in the chain. Here, the server dynamically fetches
    further instructions or payload links, ensuring the malware does not carry
    any static indicators that could trigger detection. 
 3. Bitbucket Repository
    The final stage involves a Bitbucket repository that initially hosts a
    benign executable. Once downloaded and deemed safe by security scans, this
    executable is later replaced by a malicious version. This tactic capitalizes
    on Bitbucket’s reputation as a trusted platform while reducing the chances
    of immediate detection. The use of a clean file in the initial stage ensures
    the campaign avoids raising alarms during early stages of distribution. 
    

 

Figure 4: Screenshot of repositories used by the actor with high downloads count

 


TIMELINE OF FILENAMES (AUGUST TO OCTOBER 2024) 

CoinLurker’s evolution includes a notable timeline of filenames used in the
Bitbucket repository, often masquerading as legitimate tools to enhance
deception. From August to October 2024, the filenames observed include: 

BrowserUpdateTool.exe 

BrowserTool.exe 

BrowserUpdater.exe 

UpdateNow.exe 

UpdateMe.exe 

Updater.exe 

UpdaterSetup.exe 

Updating.exe 

SecurityPatch.exe 

Each filename aligns with the fake update theme, designed to appear as genuine
system utilities or browser update tools. Additionally, those executables are
signed with a legitimate Extended Validation (EV) certificate, adding another
layer of credibility. While the origin of the certificate cannot be confirmed,
it is likely stolen, enabling the attackers to bypass security warnings and
enhance the perceived legitimacy of the malicious files. 

Figure 5: EV Certificate parsed in VirusTotal

 


LAYERED INJECTION TACTICS TO EVADE DETECTION 

CoinLurker utilizes a sophisticated multi-layered injector to stealthily deploy
malicious payloads into multiple instances of legitimate msedge.exe processes.
This approach ensures that the malware evades detection, blends seamlessly into
legitimate system activity, and bypasses network security rules that rely on
process behavior for filtering. Below are the key obfuscation techniques
observed during analysis. 

 


INFECTION VALIDATION THROUGH REGISTRY CHECKS 

CoinLurker employs a heavily obfuscated function to determine if the system has
already been infected. This method dynamically constructs a unique registry key,
such as SOFTWARE\<GUID>-<ID>, using system-specific data like the machine’s GUID
and custom input strings. 

The malware then attempts to access the key using the Windows OpenKey API. If
the key exists and contains the expected values, CoinLurker identifies the
system as already infected and terminates its execution. If the key is missing
or does not match the expected values, the malware proceeds with its infection
routine. 

While this technique serves as a mutex to prevent multiple infections, the
obfuscation within the function—such as dynamic API resolution and a layered
execution flow—makes it challenging for analysts to reverse-engineer the logic
or identify the key construction process. 



Figure 6: .gif - Runtime Validation Obfuscated Function

 


RUNTIME STRING DECODING AND INJECTION 

CoinLurker employs a sophisticated injection process that relies on dynamic
string decoding and obfuscation to conceal its activities. The malware targets
msedge.exe, launching each instance with unique, obfuscated command-line
arguments. Examples include: 

 * WSCOGJJEZZWL 
 * NTOCBJPKZPNT 
 * XXEZGQVPKJGS 
 * PEQDTHUEORHX 
 * RLZXCUVFFESG 

These arguments are dynamically generated and transformed at runtime, passing
through layered transformations like Base64 decoding, UTF-16 conversion, and
dynamic resource mapping. The final values only emerge during execution, leaving
minimal static traces. The payload itself is decrypted in memory using
obfuscated routines, ensuring traditional detection methods are bypassed. 

 

Figure 7: Main Loader Function

The injection logic incorporates heavily obfuscated control flow, including
nested state machines and conditional checks that obscure the actual execution
path. Redundant resource assignments and iterative memory manipulations further
complicate analysis, keeping critical data hidden until runtime. 




SOCKET-BASED COMMUNICATION FOR C2 OPERATIONS 

CoinLurker communicates with its C2 servers using a socket-based framework. It
employs functions like GetAddrInfoW for DNS resolution, WSASocketW for socket
creation, and ConnectEx for establishing connections. Data exchange is handled
via WSASend and WSARecv, with asynchronous operations using 
CreateIoCompletionPort to enhance efficiency. 

Domains dynamically resolved by CoinLurker include: 

 * zovik[.]info 

 * analfucker[.]lol 

 * paveldurov[.]sbs 


FILE ENUMERATION TARGETING CRYPTOCURRENCY WALLETS 

CoinLurker demonstrates a highly targeted approach to data collection, focusing
on directories associated with cryptocurrency wallets and financial
applications. Through systematic enumeration, it attempts to access a variety of
locations that are commonly used for storing sensitive user data. Key targets
include: 

Major Cryptocurrency Wallets: 

 * Bitcoin\wallets 

 * Ethereum\keystore 

 * Ledger Live\Local Storage\leveldb 

 * Exodus\exodus.wallet 

Alternative Cryptocurrencies and Lesser-Known Wallets: 

 * Examples include BBQCoin, Lucky7Coin, MemoryCoin, and many others, showcasing
   its effort to cover a wide range of cryptocurrencies. 

Related Applications: 

 * Directories such as Telegram Desktop\tdata, Discord\Local Storage\leveldb,
   and FileZilla 

This comprehensive scanning underscores CoinLurker's primary goal of harvesting
valuable cryptocurrency-related data and user credentials. Its targeting of both
mainstream and obscure wallets demonstrates its versatility and adaptability,
making it a significant threat to users in the cryptocurrency ecosystem. 


HOW MORPHISEC CAN HELP 

Morphisec’s pioneering Automated Moving Target Defense (AMTD) technology stops
sophisticated attacks at the earliest stage without relying on outdated
signature or behavioral-based detection methods. By preemptively blocking memory
and application-based attacks, Morphisec eliminates threats before they can take
hold and become business impacting. 

Schedule a demo today to see how Morphisec stops fake update campaigns like
CoinLurker and other new and emerging threats.




IOCS 


FAKE INSTALLERS SHA256: 

 * 324e1bf24f13d5a8f45cc5ee25d3dfe330a7e755b19901549976f2db02ca4fa4 

 * c8adb9bf6997a9fa2738a09600a60abc4fb6334aa54b24166cf042afdc5a1064 

 * 1f4624c44288f77327ec2e8d260399559b81c7cae442c31311736c2a2ec5f399 

 * a7eca930c2aa851cae3475cb4f5d599058816d51e1cc55a82ae976a030794aac 

 * be5e250168d37e7a9a4999d41a77cde19a6ac376a391f602b3496ace307ad0e8 

 * 93cc9759d86f8b087b71583f577a5534e975ce9ac19ec3ec140efa6bbfad6bd0 

 * 44521e1af289aa3473d7445d097766f1c3f3d8721d14b14ed6d5404994a03eb2 

 * 2198912e1a1f4a5b5f0dfe237b75d264c9be0b5b6f98f83a999117dd194e842c 

 * f79c62b820420bda78252197db842eabe63261a4e80fbdcec8d671ce3d0a43ef 

 * 11cefe96966858c237a3aff132e5c54d0d1bcd343a23b23fcc24735bcefc811c 

 * 8119a59487c6ffe5382c03e3de8c70b2c2e26899b51dcc4794066a8e1f358bcb 

 * 9a036f20d758107d9434bd3bed682ff7d81393dc9d49fd6fe70d4b549045eaa2 

 * a12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14 

 * 487156ae20cc6d8e7d922cebe35b197c28ae43134f7e04c5f6bd0f3e164a7120 

 * 9116c7878f51e6d8173d41a5a0e63ca16105dac954afedeaf1d5e06594cc4d41 

 * cc2f65faf61154815b4fa151d9a27c01a160d7d46398c7e44169949a61c63c2b 

 * 7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899 

 * 2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe 

 * 6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de 

 * 269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d 

 * 397a0f6515a81f307b5289ff3e939a0e01a6c1a0f0515be9844ddc9c6031ad97 

 * 82cc0f3f4aa70a8215b62db7ee9deac1c3d4dd27cde25cf56ec2f82ca7d146a9 

 * 2181c60e8727d5cfe7e713aa9731018168660ad2c96f31b08a729d1503dfc19a 

 * 0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21 

 * 9c0c9945f81977269542f941c10fa28dbefe91078b6df68e97d61b58318cac9a 

 * b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa 

 * a612bca9b5cbda864f4b808992de3d616c67b9120d8b24cbfa8a836ccdde9142 

 * a3c7b289054635f5239d453fb4be718298037ea6c1f4bf16954af1e9da2a53e2 

 * 9ea70e081c13c4b0e30b43dd68a6a0e0cfb6926c990bbe8ddedd8d9693c953d6 

 * 0b420a565e5e6f6899ebcb1da2fc162b05f5a8b7bfe0f56f52a085f17abb253d 

 * 80b2950f1249d439105eac421660ddd15caab6de6afce3511f945deef1c0dd21 

 * c643c087c68e51dfe422ddb48614675ab8e6aaecbe5704759c9978ac22b15f83 

 * 3048030c0e3ff5e6e45bbb37e75d6e55fde8d77a928958dc34497177e077b69a 

 * 18f882b6c16641be3899f4e5123d10bb5c448ac7b7dafe7adb6144176acae304 

 * 15be79b09fa5efe3ca3440a94e436124d97232436af91f64917b7095b559a210 

 * 162e4277a4cb2e3703df74529d83d47b66a5b46b0a93b3ac902b56da3e588fe9 

 * 8d61f5b56f05daeef394dbc434abb96c1388aca8406e02445a72db1a65b9da3d 

 * 9374e1561a87a23b12ec586859661241b2eb5da822c0b4b874cdf9eda480363f 

 * Fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6 
   


 


STAGER URLS: 

 * md928zs[.]shop/endpoint 

 * smolcatkgi[.]shop/endpoint 

 * dais7nsa[.]shop/endpoint 

 * ajsdiaolke[.]shop/endpoint 

 * peskpdfgif[.]shop/endpoint 

 * ndas8m92[.]shop/endpoint 

 * test-1627838[.]shop/endpoint 

 * smkn1leuwimunding[.]com/Updating.zip 

 * bitbucket[.]org/browsertools/tools/downloads/ 

 * bitbucket[.]org/targetfile/download/downloads/UpdateRequest.exe 

 * bitbucket[.]org/browserupdater/download/downloads/BrowserUpdater.exe 

 * bitbucket[.]org/cleopatrall/upds/downloads/updater.exe 

 * bitbucket[.]org/stoptrackme/updatings/downloads/UpdateMe.exe 

 * bitbucket[.]org/napoleon_bonaparte/browtool/downloads/BrowserUpdateTool.exe 

 


C2 DOMAINS: 

 * paveldurov[.]sbs 

 * zovik[.]info 

 * analfucker[.]lol 

Sensitive data discovery paths: 

 * c:\users\<username>\appdata\local\google 

 * c:\users\<username>\appdata\roaming\mozilla\firefox 

 * c:\users\<username>\appdata\local\microsoft\edge 

 * c:\users\<username>\appdata\local\bravesoftware\brave-browser 

 * c:\users\<username>\appdata\local\360chrome 

 * c:\users\<username>\appdata\roaming\opera software 

 * c:\users\<username>\appdata\local\vivaldi 

 * c:\users\<username>\appdata\local\coccoc 

 * c:\users\<username>\appdata\local\yandex 

 * c:\users\<username>\appdata\local\chromium 

 * c:\users\<username>\appdata\local\tencent 

 * c:\users\<username>\appdata\roaming\jupitercoin 

 * c:\users\<username>\appdata\roaming\memorycoin 

 * c:\users\<username>\appdata\roaming\ledger live\local storage\leveldb 

 * c:\users\<username>\appdata\roaming\bbqcoin 

 * c:\users\<username>\appdata\roaming\bitbar 

 * c:\users\<username>\appdata\roaming\crimecoin 

 * c:\users\<username>\appdata\roaming\globalcoin 

 * c:\users\<username>\appdata\roaming\grain 

 * c:\users\<username>\appdata\roaming\lucky7coin 

 * c:\users\<username>\appdata\roaming\maples 

 * c:\users\<username>\appdata\roaming\ethereum\keystore 

 * c:\users\<username>\appdata\roaming\bits 

 * c:\users\<username>\appdata\roaming\colossuscoin 

 * c:\users\<username>\appdata\roaming\frankocoin 

 * c:\users\<username>\appdata\roaming\freecoin 

 * c:\users\<username>\appdata\roaming\zccoin 

 * c:\users\<username>\appdata\roaming\zcash 

 * c:\users\<username>\appdata\roaming\bountycoin 

 * c:\users\<username>\appdata\roaming\earthcoin 

 * c:\users\<username>\appdata\roaming\androidstokens 

 * c:\users\<username>\appdata\roaming\peoplecoin 

 * c:\users\<username>\appdata\roaming\redcoin 

 * c:\users\<username>\appdata\roaming\florincoin 

 * c:\users\<username>\appdata\roaming\sexcoin 

 * c:\users\<username>\appdata\roaming\lebowskis 

 * c:\users\<username>\appdata\roaming\skycoin 

 * c:\users\<username>\appdata\roaming\ezcoin 

 * c:\users\<username>\appdata\roaming\joulecoin 

 * c:\users\<username>\appdata\roaming\last coin 

 * c:\users\<username>\appdata\roaming\dogecoin 

 * c:\users\<username>\appdata\roaming\megacoin 

 * c:\users\<username>\appdata\roaming\unobtanium 

 * c:\users\<username>\appdata\roaming\extremecoin 

 * c:\users\<username>\appdata\roaming\grandcoin 

 * c:\users\<username>\appdata\roaming\richcoin 

 * c:\users\<username>\appdata\roaming\infinitecoin 

 * c:\users\<username>\appdata\roaming\uscoin 

 * c:\users\<username>\appdata\roaming\exodus\exodus.wallet 

 * c:\users\<username>\appdata\roaming\avingcoin 

 * c:\users\<username>\appdata\roaming\goldcoin 

 * c:\users\<username>\appdata\roaming\atomic_qt 

 * c:\users\<username>\appdata\roaming\bitcoin\wallets 

 * c:\users\<username>\appdata\roaming\namecoin 

 * c:\users\<username>\appdata\roaming\primecoin 

 * c:\users\<username>\appdata\roaming\luckycoin 

 * c:\users\<username>\appdata\roaming\onecoin 

 * c:\users\<username>\appdata\roaming\quarkcoin 

 * c:\users\<username>\appdata\roaming\asiccoin 

 * c:\users\<username>\appdata\roaming\cosmoscoin 

 * c:\users\<username>\appdata\roaming\ticketscoin 

 * c:\users\<username>\appdata\roaming\cloudcoin 

 * c:\users\<username>\appdata\roaming\mavro 

 * c:\users\<username>\appdata\roaming\secondscoin 

 * c:\users\<username>\appdata\roaming\supercoin 

 * c:\users\<username>\appdata\roaming\tagcoin 

 * c:\users\<username>\appdata\roaming\armory 

 * c:\users\<username>\appdata\roaming\beaocoin 

 * c:\users\<username>\appdata\roaming\freicoin 

 * c:\users\<username>\appdata\roaming\nanotokens 

 * c:\users\<username>\appdata\roaming\orbitcoin 

 * c:\users\<username>\appdata\roaming\royalcoin 

 * c:\users\<username>\appdata\roaming\worldcoin 

 * c:\users\<username>\appdata\roaming\alphacoin 

 * c:\users\<username>\appdata\roaming\ferretcoin 

 * c:\users\<username>\appdata\roaming\galaxycoin 

 * c:\users\<username>\appdata\roaming\unitedscryptcoin 

 * c:\users\<username>\appdata\roaming\ybcoin 

 * c:\users\<username>\appdata\local\coinomi\coinomi\wallets 

 * c:\users\<username>\appdata\roaming\bottlecaps 

 * c:\users\<username>\appdata\roaming\neocoin 

 * c:\users\<username>\appdata\roaming\protosharescoin 

 * c:\users\<username>\appdata\roaming\novacoin 

 * c:\users\<username>\appdata\roaming\terracoin 

 * c:\users\<username>\appdata\roaming\com.liberty.jaxx\indexeddb\file__0.indexeddb.leveldb 

 * c:\users\<username>\appdata\roaming\americancoin 

 * c:\users\<username>\appdata\roaming\gamecoin 

 * c:\users\<username>\appdata\roaming\kingcoin 

 * c:\users\<username>\appdata\roaming\securecoin 

 * c:\users\<username>\appdata\roaming\franko 

 * c:\users\<username>\appdata\roaming\nxtcoin 

 * c:\users\<username>\appdata\roaming\walletwasabi\client\wallets 

 * c:\users\<username>\appdata\roaming\fastcoin 

 * c:\users\<username>\appdata\roaming\nuggets 

 * c:\users\<username>\appdata\roaming\sifcoin 

 * c:\users\<username>\appdata\roaming\argentum 

 * c:\users\<username>\appdata\roaming\philosopherstone 

 * c:\users\<username>\appdata\roaming\xencoin 

 * c:\users\<username>\appdata\roaming\devcoin 

 * c:\users\<username>\appdata\roaming\elephantcoin 

 * c:\users\<username>\appdata\roaming\hobonickels 

 * c:\users\<username>\appdata\roaming\protoshares 

 * c:\users\<username>\appdata\roaming\zetacoin 

 * c:\users\<username>\appdata\roaming\atomic\local storage\leveldb 

 * c:\users\<username>\appdata\roaming\craftcoin 

 * c:\users\<username>\appdata\roaming\cryptogenicbullion 

 * c:\users\<username>\appdata\roaming\krugercoin 

 * c:\users\<username>\appdata\roaming\guarda 

 * c:\users\<username>\appdata\roaming\valuecoin 

 * c:\users\<username>\appdata\roaming\bytecoin 

 * c:\users\<username>\appdata\roaming\diamond 

 * c:\users\<username>\appdata\roaming\feathercoin 

 * c:\users\<username>\appdata\roaming\pennies 

 * c:\users\<username>\appdata\roaming\realcoin 

 * c:\users\<username>\appdata\roaming\electrum\wallets 

 * c:\users\<username>\appdata\roaming\ixcoin 

 * c:\users\<username>\appdata\roaming\naanayam 

 * c:\users\<username>\appdata\roaming\zenithcoin 

 * c:\users\<username>\appdata\roaming\bitgem 

 * c:\users\<username>\appdata\roaming\digitalcoin 

 * c:\users\<username>\appdata\roaming\ppcoin 

 * c:\users\<username>\appdata\roaming\mincoin 

 * c:\users\<username>\appdata\roaming\peercoin 

 * c:\users\<username>\appdata\roaming\shitcoin 

 * c:\users\<username>\appdata\roaming\liquidcoin 

 * c:\users\<username>\appdata\roaming\mastercoin 

 * c:\users\<username>\appdata\roaming\memecoin 

 * c:\users\<username>\appdata\roaming\tekcoin 

 * c:\users\<username>\appdata\roaming\tumcoin 

 * c:\users\<username>\appdata\roaming\yacoin 

 * c:\users\<username>\appdata\roaming\netcoin 

 * c:\users\<username>\appdata\roaming\paycoin 

 * c:\users\<username>\appdata\roaming\spots 

 * c:\users\<username>\appdata\roaming\chncoin 

 * c:\users\<username>\appdata\roaming\dollarpounds 

 * c:\users\<username>\appdata\roaming\playtoken 

 * c:\users\<username>\appdata\roaming\cryptogenicbullionc 

 * c:\users\<username>\appdata\roaming\eaglecoin 

 * c:\users\<username>\appdata\roaming\opensourcecoin 

 * c:\users\<username>\appdata\roaming\phenixcoin 

 * c:\users\<username>\appdata\roaming\sauron rings 

 * c:\users\<username>\appdata\roaming\bitcoin 

 * c:\users\<username>\appdata\roaming\anoncoin 

 * c:\users\<username>\appdata\roaming\copper bars 

 * c:\users\<username>\appdata\roaming\growthcoin 

 * c:\users\<username>\appdata\roaming\italycoin 

 * c:\users\<username>\appdata\roaming\42coin 

 * c:\users\<username>\appdata\roaming\blakecoin 

 * c:\users\<username>\appdata\roaming\casinocoin 

 * c:\users\<username>\appdata\roaming\ghisler 

 * c:\users\<username>\appdata\roaming\psi+\profiles\default 

 * c:\users\<username>\appdata\roaming\telegram desktop\tdata 

 * c:\users\<username>\appdata\roaming\discord\local storage\leveldb 

 * c:\users\<username>\appdata\roaming\filezilla 


SUBSCRIBE TO OUR BLOG

Stay in the loop with industry insight, cyber security trends, and cyber attack
information and company updates.





SEARCH OUR SITE




RECENT POSTS

 * CoinLurker: The Stealer Powering the Next Generation of Fake Updates
 * Morphisec's Automated Moving Target Defense Technology in new Security
   Services from Atea Sweden
 * 2025 Prediction: New U.S. Administration Will Impact Cybersecurity and AI
 * The Countdown to Windows 10 End of Life: What IT Teams Need to Know
 * Fileless Malware Will Beat Your EDR
 * Preemptive Cyber Defense: Defending Against Sophisticated Threats Like Salt
   Typhoon
 * How Hackers Compromise Virtual Desktop Infrastructure
 * 2025 Prediction: Preemptive Cyber Defense Will Shake Up Cybersecurity
   Planning
 * NTLM Privilege Escalation: The Unpatched Microsoft Vulnerabilities No One is
   Talking About
 * Securing a Clear Vision: How Houston Eye Associates Focuses on Cybersecurity


POSTS BY TAG

 * Automated Moving Target Defense (157)
 * Threat Research (135)
 * Cyber Security News (131)
 * Morphisec Labs (124)
 * Morphisec News (55)
 * Adaptive Exposure Management (13)
 * Defense-in-Depth (12)
 * Ransomware (12)
 * Gartner (10)
 * Threat and Vulnerability Management (9)
 * Continuous Threat Exposure Management (CTEM) (8)
 * Microsoft (8)
 * In-Memory Attacks (7)
 * Preemptive Security (7)
 * Advanced Threat Defense (6)
 * Legacy Security (5)
 * Financial Cybersecurity (4)
 * Healthcare Cybersecurity (4)
 * Linux Cybersecurity (4)
 * Runtime Attacks (4)
 * ChatGPT (3)
 * Evasive Loader (3)
 * Fileless Malware (3)
 * Patch Management (3)
 * Product Blogs (3)
 * Artificial Intelligence (2)
 * Anti-tampering (1)
 * Blockchain (1)
 * Case Study (1)
 * Cryptocurrency (1)
 * IoT Security (1)
 * Managed Service Providers (1)
 * Server Security (1)

See all
 * Products
   * Product Overview
   * Morphisec for Managed Services
   * Morphisec for Windows Endpoints
   * Morphisec for Windows Servers & Workloads
   * Morphisec for Linux Server Protection
   * Morphisec Vulnerability Visibility & Prioritization
   * Incident Response Services
   * About Moving Target Defense
 * Solutions By Industry
   * Managed Services
   * Banking & Finance
   * Hedge Funds
   * Healthcare
   * Technology
   * Manufacturing
   * Legal
   * K-12 Education
   * SMB
 * Solutions by Use Case
   * Microsoft Defender for Endpoint
   * Microsoft Defender AV
   * Virtual Desktop Protection
   * Ransomware Protection
   * Supply Chain Attack Protection
   * Cloud Workload Protection
   * Remote Employee Security
   * Virtual Patching & Compliance
   * Browser Attack Protection

 * Company
   * About Us
   * News & Events
   * Careers
 * Blog
 * Support
 * Partners
 * Contact Us
 * Privacy & Legal
 * Contact Sales
 * Inquire via Azure

 * 
 * 
 * 

© 2024 Morphisec Ltd. | All rights reserved








Privacy policy |


WE USE COOKIES

We may place these for analysis of our visitor data, to improve our website,
show personalised content and to give you a great website experience. For more
information about the cookies we use open the settings.

Your consent and the cookie policy apply to all websites of "Morphisec Group",
including: morphisec.com, Morphisec Blog, Engage Morphisec.

Deny
No, adjust
Accept all