Nov 30, 2021
0 0

Remote access tools abused to spread malware and steal cryptocurrency

Written by

Tags, , , , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

Trend Micro researchers have shared details of a new campaign distributing SpyAgent malware by abusing legitimate use RATs (remote access tools), including TeamViewer.
Safib assistant also abused in the scam
According to a report from Trend Micro, the campaign involves abusing a legitimate Russian RAT called Safib Assistant through a new variant of SpyAgent malware. The scammers exploit a DLL sideloading vulnerability that loads a malicious DLL, which hooks and patches different API functions that the RAT calls. This hides the RAT windows from the user.
SEE: Fake TeamViewer download ads distributing new ZLoader variant
Afterward, the malicious DLL starts reporting the RAT’s ID that the attacker requires to establish a connection with the infected device and gain control over it. The malware then changes the access password to a fixed one. Due to this, the attacker only needs to have the RAT’s ID to connect to the infected device.

SpyAgent dropper is distributed via bogus cryptocurrency-related websites, most of which are in the Russian language. The dropper is equipped with a fake cryptocurrency wallet, surfing plug-ins, or miner.
Fake cryptocurrency miners in Russian (Image: TrendMicro)
How a user is lured to these websites involves social engineering tactics, such as some websites display ads that say “earn cryptocurrency for browsing.” Scammers are also using social media, specifically Twitter, as a potential infection vector.
When a user visits these fake websites, a file-downloading dialog box appears almost immediately, urging the user to download, save, and execute the application, which is actually a SpyAgent dropper.  

According to Trend Micro’s blog post, after getting installed on a device, SpyAgent malware downloads other malware having extensive capabilities, including stealing sensitive data. Moreover, Trend Micro researchers noticed that SpyAgent downloads additional stealers such as:
RedLine Stealer
Cypress Stealer
Ducky Stealer
Further, it downloads Clipper, a clipboard replacer that replaces different cryptocurrency addresses with attacker-controlled addresses. The RATs used in this campaign include:
Remcos RAT

This campaign seems to have financial motivation. The primary objective of hackers is to steal credentials and crypto-wallets, and they also replace cryptocurrency addresses shared through Clipboard. Users must stay clear of fake websites, unrealistic advertisements, and misleading social media posts.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom. is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.