Safe Breach Labs cybersecurity experts: The threat actor infects victims via Farsi phishing emails with a PowerShell stealer malware.
SpriteCoin uses the increasing interest in the cryptocurrencies as bait to capture prey
There is a new ransomware disguised as a wallet of a supposed cryptocurrency, called SpriteCoin (alias MoneroPay). Experts of cyber security of FortiGuard Labs Fortinet discovered it. Till now very little is known on this malware, which is probably distributed with social engineering techniques, by email or messages inserted in forum. The common denominator is the subject of cryptocurrencies. Cyber experts have also discovered a web site devoted to SpriteCoin. In reality, as the national italian Computer Emergency Response Team (CERT) pointed out, this digital currency does not exist. It was created by cybercrime hackers as bait, increasing general interest in virtual coins, due to their high volatility and to the incredible increase of interest rates, which have been registered in the last year. Moreover, it is not a “traditional” product of this kind. It is very dangerous, and twice as dangerous if one decides to pay for redemption.
The ransomware, disguised as a wallet, asks for a payment of 0,3 Monero. At the same time it is also trying to steal the credentials memorized on the Browser of the victim
The randomware, disguised as a cybercurrency wallet, after having unloaded and launched on the victim’s PC, asks the user to insert a password to protect the portfolio. Subsequently, SpriteCoin shows a progress indicator, which gives details on progress of the presumed down loading of the blockchain. Actually, in practice, during this operation the malware is decoding the user’s files. Once it has completed this phase, the malicious application shows the request of ransom in a window of the predefined browser. The cybercrime demands the payment of 0,3 Monero (approximately 72 euros). Moteover, SpriteCoin does not only decor the files. It also attempts to steal the credentials locally memorized by Chrome and Firefox browsers. The stolen data are then coded and sent to a remote Web site through the TOR net.
The payment of ransom is a fraud. Cybercrim sends to the victim another malware, instead of the instrument necessary to decipher the files
SpriteCoin also hides another trap. The victim of ransomware, accepting to pay ransom to cybercrime will not receive the decoder key. But a second malware, capable of accessing the webcam and thus compromising keys and documents saved on the PC. And, at present methods and tools used to decipher the files blocked by the false cryptocurrency wallet are still unknown. On the other hand, though, the malignant application can be detected and identified easily by the most common antivirus.
The screenshot of the ransom request by SpriteCoin (photo credits: Fortinet)