Fake DirectX12 Download Website Installs Crypto-Stealing Malware
Threat Actors Have Found A New Way to Trick Users into Installing Their Software to Distribute Malware That Steals Their Cryptocurrency Wallets and Credentials.
Cybersecurity analyst Oliver Hough recently discovered that hackers have created a fake DirectX 12 download site to distribute malware that steals your cryptocurrency wallets and passwords.
Although the website appears fully equipped with a security certificate, privacy policy, disclaimer, DMCA policy, and more, it will instead push data-stealing malware that will scan your PC for sensitive information.
Image Source: Twitter
Once users click the Download buttons, they are redirected to an external page where they are asked to download a file. Depending on whether they choose the 32-bit or 64-bit version, they will be offered a file called ‘6080b4_DirectX-12-Down.zip’ [VirusTotal] or ‘6083040a__Disclaimer.zip’ [VirusTotal].
Both files lead to malware that tries to steal victims’ files, email credentials, and cryptocurrency wallets.
According to BleepingComputer, the malware developers also attempt to steal a wide variety of cryptocurrency wallets for Windows software, including Ledger Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero.
All data is gathered into a %Temp% folder, which the malware will zip up and send back to the threat actor who will analyze it and use it for other malicious activities.
It seems that threat actors have made a habit of using these fake websites to steal financial information and passwords.
Just last week, ESET discovered that Ficker malware now spreads through websites impersonating Microsoft Store and Spotify. The malware steals information and user credentials that are saved in web browsers, messaging apps, and FTP clients. It can also exfiltrate documents, take screenshots of your running apps, and steal from your cryptocurrency wallet.
Earlier this month, The Lazarus Group has set up a fake security company and social media accounts as part of a broad campaign targeting cybersecurity researchers with malware. The attackers created a website, as well as a Twitter and LinkedIn account for a fake company named SecuriElite, located in Turkey. The company was supposedly offering offensive security services as the Google security team focused on hunting down the state-backed hackers.
As always, we advise you to only download and install software from trustworthy sites or straight from the developer’s official website. In this case, since DirectX is a set of Windows interfaces, you should only install it directly from Microsoft.