Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities

By on Jan 25, 2018

Many of the stealthiest cyberthreats out there spawn on underground forums, as malware authors leverage the space to sell unique variants to fellow criminals. And now there’s a new addition to the underground scene. Meet Evrial: a powerful, information-stealing Trojan which is currently for sale for 1,500 Rubles or $27 USD. Its author previously created another variant named CryptoShuffler, which allows cybercriminals to replace the Windows clipboard and steal files from cold cryptocurrency wallets, as well as passwords from programs/browsers. Its successor, Evrial, can steal browser cookies, swoop stored credentials, and monitor the Windows clipboard too — only now it can potentially hijack active cryptocurrency payments and send stolen money directly to a cybercriminal’s address.

Specifically, the Trojan is capable of monitoring the Windows clipboard for certain types of text, and if it detects specific strings, it can modify or even replace them with ones sent by the attacker. This could mean replacing legitimate addresses and URLs with ones under the attacker’s control; a regular Bitcoin address could suddenly become one belonging to a cybercriminal. If the target pastes that address into their app, thinking it’s the legitimate one, and sends Bitcoin, the cyptocurrency will soon be in the hands of the cybercriminal. Mind you, Evrial goes beyond Bitcoin, as it is also configured to detect strings that correspond to Litecoin, Monero, WebMoney, Qiwi addresses and Steam items trade URLs.

Evrial is just one of many Bitcoin-centric news stories lately, as cryptocurrency in general has been on practically everyone’s minds – which begs the question, is there a connection? Is the increased focus on digital currency inciting the creation of malware variants designed specifically to capitalize on Bitcoin’s boom?

In short – yes and no. Historically, cryptocurrencies have been a popular mechanism on underground markets for several years. Other digital currencies were used in the past but presented problems for bad actors due to their centralized nature. However, Blockchain technology, which powers cryptocurrencies like Bitcoin and is designed to be decentralized, allowed bad actors to protect their assets from law enforcement. Noticing this value, criminals on underground markets began to use this to their benefit well before the value of Bitcoin reached $1000+ a coin.

But soon enough Bitcoin value continued to grow and malware authors took notice, as they began to target Bitcoin wallets rather than simply trade in it. Ransomware exploded, holding victim’s files and machines hostage for almost exclusively Bitcoin payment. Malware that was traditionally sold as a scraper (to steal credit card information and passwords) was upgraded to include a cryptocurrency mining feature and was sold at a premium price.

Bad actor adoption of cryptocurrency has been both significant and quick, and notably much faster than the general population. Malware that uses, steals, and is sold with cryptocurrency is now the norm. And now as the general population’s interest in cryptocurrency has exploded, we’ve seen an increase in interest from malware authors as well. This interest has led to new malware behavior, such as Evrial’s ability to scan clipboards for cryptocurrency addresses. It’s had a major impact in how business is done in the underground.

However, it’s important to note that Bitcoin’s popularity presents its own problems. The volatile value has made the buying and selling of illicit goods problematic. Additionally, the pricing of a ransom is now askew. This has forced some markets to move to multi-coin platforms (namely incorporating Monero) as an alternative and some malware families to turn to other alt-coins to mine or steal.

All in all, cryptocurrency is no different than other motivators before it – when cybercriminals find the right opportunity to enhance their profitability, they capitalize on it. And when road blocks emerge, they find ways to maneuver around them. Now, the next step for cyber defenders is to keep their eyes peeled for what’s next, and eventually — outpace cybercriminals entirely.

To learn more about the fight against Evrial and other Trojans like it, be sure to follow us at @McAfee and @McAfee_Labs.

About the Author

Charles McFarland

Charles McFarland is a Senior Research Scientist. He has been working in the security industry since 2006, focusing on technical training and specialized in encryption technologies before moving on to threat intelligence research. In past research, he has focused on underground markets, and actor behavior. Currently, he is focused on Ransomware campaigns and the actors ...

Read more posts from Charles McFarland

Subscribe to McAfee Securing Tomorrow Blogs