Cyble Research and Intelligence Labs recently exposed a sophisticated phishing scheme designed to compromise Chinese cryptocurrency investors and companies. This campaign cleverly imitates the Exodus crypto wallet’s interface through a fraudulent website. Victims believe they are downloading a legitimate Exodus wallet installer, but it secretly installs malicious software.
The downloaded program not only starts the Exodus installation process to appear credible but also simultaneously runs FatalRAT malware. This malware gives attackers remote access to the victim’s computer. During this process, additional harmful components like Clipper and Keylogger are also installed without the user’s knowledge. These programs are notorious for altering and stealing clipboard data, which can include sensitive information such as passwords and account details.
Cyble highlights that the threat actors have refined their methods by integrating new .dll side-loading techniques. These techniques are intended to help the malware evade antivirus software and other security measures. Although the full scope of the attack remains unclear, the use of Chinese-language installers suggests that the primary targets are individuals and businesses within China engaged in cryptocurrency.