How to steal cryptocurrency through DNS
The distribution of malware alongside cracked games or applications is one of the oldest tricks in the cybercriminal playbook. Surprisingly, even in 2024, there are still naive victims who believe in modern-day Robin Hood and assume that downloading cracked paid programs and games from pirate sites is perfectly safe. However, while this threat is old, criminals continuously invent new methods to deliver malware to the victim's computer to bypass security solutions.
A recent campaign of this kind was discovered targeting Apple computers with the latest versions of macOS (13.6 and above), utilizing the features of the Domain Name System (DNS) service to download malicious payloads. Victims are offered free downloads of cracked versions of popular applications.
But what awaits those who succumb to temptation?
Fake activation
After downloading a disk image supposedly containing a cracked program, the victim is prompted to copy two files into the Applications folder: the application itself and an "activator" program. If only the application is copied and launched, it will not work. The instructions state that the cracked program must be "activated”. Analysis revealed that the activator's function is primitive—it removes a few initial bytes in the application's executable file, after which the application starts working. Essentially, the criminals took an already cracked application and modified it so that it could not be launched without the activator. Of course, the activator has an unpleasant additional function—upon launch, it requests administrator rights and, using them, installs a script loader in the system. This script downloads additional malicious payloads from the Internet—a backdoor that regularly requests commands from criminals.
Connection through DNS
To download the malicious script, the activator turns to a rather exotic and innocently appearing tool—the Domain Name System (DNS). It has an interesting technical feature. Each DNS record not only links the internet name of a server to its IP address but can also contain an arbitrary textual description of the server, known as a TXT record. The criminals exploited this by placing fragments of malicious code in TXT records. The activator downloads three TXT records from a malicious domain and assembles them into a ready script.
This seemingly complex scheme has several advantages. First, the activator does nothing particularly suspicious—accessing DNS records is a common activity for any internet application, and it is a necessary first step for any communication session. Second, by changing the domain's TXT records, criminals can easily update the script to modify the infection scheme and the final malicious payload. Third, removing malicious content from the network is not so simple due to the distributed structure of the domain name service. For internet providers and companies, it's even difficult to notice a policy violation, as each such TXT record is only a fragment of malicious code, which in itself does not pose a threat.
The final round
Thanks to the periodically launched script downloading scenario, criminals can update the malicious payload and perform any actions they need on the victim's computer. At the time of our analysis, they were interested in stealing cryptocurrency. The backdoor automatically searches the victim's computer for Exodus or Bitcoin wallets and replaces their applications with trojanized versions. The infected Exodus wallet steals the key phrase (seed phrase), and the infected Bitcoin wallet steals the encryption key that encrypts the private keys, allowing the attackers to sign transfers on behalf of the victim. Thus, by "saving" a few dozen dollars on cracked applications, one can lose an order of magnitude more in crypto.
Other famous cases of cryptocurrency hacking
One of the most high-profile cases in the history of cryptocurrencies is the 2014 hack of the Mt. Gox exchange, which resulted in the theft of around 850,000 Bitcoin. This incident highlighted the importance of cryptocurrency exchange security and led to stricter security measures in the industry. The Mt. Gox hack showed that even the largest platforms are not immune to attacks and that the importance of storing cryptocurrency in a secure wallet cannot be overstated.
Another famous case is the DAO (Decentralised Autonomous Organisation) hack in 2016 when over $50 million in Ether was stolen due to a vulnerability in a smart contract. This case highlighted the risks associated with technological innovation and the need for careful auditing of smart contract codes.
How to protect yourself from an attack on your crypto wallet
Let's state the obvious: to avoid the threat and not become a victim of criminals, download applications only from official app stores. If you want to download an application from the developer's site, ensure you are on the real site, not one of the many fake sites. If you are thinking about downloading a cracked version of an application—think again. "Honest and trustworthy" sites with pirated products are as rare as unicorns and elves.
It is also worth applying these safety measures:
- Cold storage. Storing cryptocurrency in a wallet that is not connected to the internet is considered one of the most secure methods of protection. Cold wallets can be in the form of hardware devices or paper wallets.
- Two-factor authentication. (2FA): Using 2FA to access cryptocurrency wallets and exchanges greatly increases security by adding an extra layer of verification.
- Regular security audits. Regular security audits and software updates for wallets and exchanges help identify and address vulnerabilities.
- Education and awareness. Understanding basic cybersecurity principles and being aware of current threats helps prevent many attacks.
These protections, while not guaranteeing complete security, greatly reduce the risk of losing your cryptocurrency to hacker attacks or fraud. It is important to remember that in the world of cryptocurrencies, security must come first, and every user is responsible for protecting their investment.