CoinLurker, a sophisticated stealer malware, is exploiting Microsoft Edge WebView2 to infiltrate users’ systems through deceptive software update prompts. The malware, written in Go, leverages advanced obfuscation techniques to evade detection and employs stolen Extended Validation (EV) certificates to appear legitimate. The attack chain begins with fake update notifications from compromised websites, phishing emails, malvertising redirects, and fraudulent CAPTCHA prompts. These prompts trigger the execution of the malware through WebView2, a framework that complicates dynamic analysis and enables the malware to evade sandbox detection.
The malware deployment method also incorporates a technique known as EtherHiding, where malicious scripts injected into compromised sites connect to Web3 infrastructure to retrieve the final payload. These payloads, often disguised as legitimate software like “UpdateMe.exe” or “SecurityPatch.exe,” are downloaded from Bitbucket repositories and are digitally signed with stolen certificates to bypass security mechanisms. The malware’s multi-layered injection process deploys the payload into the Microsoft Edge process (“msedge.exe”), making detection increasingly difficult for security tools.
Once successfully executed, CoinLurker targets valuable cryptocurrency-related data by scanning for information stored in cryptocurrency wallets like Bitcoin, Ethereum, Ledger Live, and Exodus. The malware also focuses on extracting user credentials from applications such as Telegram, Discord, and FileZilla, underscoring its primary objective of exfiltrating sensitive data. CoinLurker’s versatility in targeting both popular and obscure wallets demonstrates its adaptability and positions it as a significant threat to cryptocurrency users and platforms.
This malware campaign is part of a growing trend where threat actors are utilizing malvertising and social engineering techniques to deliver malware. Cybercriminals have been observed exploiting platforms like Google Search ads to target specific user groups, such as graphic design professionals, by promoting fake downloads for legitimate software tools. As these malware campaigns continue to evolve, experts emphasize the importance of improved detection measures, user awareness, and enhanced security protocols to defend against such sophisticated and deceptive threats.
Reference:
