Malware Using OCR to Steal Crypto Keys
Cybersecurity experts have found a new malware threat that lures users into downloading a malicious app to grow. An advanced malware strain campaign has surfaced from North Korea, it attacks cryptocurrency wallets by exploiting the mnemonic keys of the users. McAfee researcher SangRyo found the malware after tracking stolen data from malicious apps for breaking servers and gaining access.
The working of SpyAgent
The malware is called SpyAgent, and it targets cryptocurrency enthusiasts. What makes this malware unique is its ability to use OCR technology for scanning images, it leverages Optical Character Recognition (OCR) technology to steal mnemonic keys stored in the images of infected devices. Hackers use these mnemonic keys to gain unauthorized entry into digital assets.
These keys are twelve-word phrases used for recovering cryptocurrency wallets. There has been a rise in the use of mnemonic phrases for crypto wallet security because they are easy to remember if compared to a long strain of random characters.
Spy Agent pretends to be a legitimate application, such as banking, streaming, government services, or utility software. McAfee has discovered over 280 fake applications.
Distribution of SpyAgent
When a victim downloads a malicious app containing SpyAgent, the malware builds a command and control (C2 )server that allows threat actors to launch remote commands. Later, the attacker extracts contact lists, text messages, and stored images from the compromised device.
“Due to the server’s misconfiguration, not only were its internal components unintentionally exposed, but the sensitive personal data of victims, which had been compromised, also became publicly accessible. In the ‘uploads’ directory, individual folders were found, each containing photos collected from the victims, highlighting the severity of the data breach,” the report says.
Reach of SpyAgent
SpyAgent has been found working in Korea, but its range has widened to other countries as well. The malware is capable of disguising itself as a legitimate application, which makes it dangerous. SpyAgent has recently expanded to the United Kingdom.
It has also moved from simple HTTP requests to web socket connections, allowing real-time two-way communication with the C2 server. It escapes security researchers via techniques like function remaining and string encoding.
The McAfee report recommends “users to be cautious about their actions, like installing apps and granting permissions. It is advisable to keep important information securely stored and isolated from devices. Security software has become not just a recommendation but a necessity for protecting devices.”