Cybercriminals are actively targeting cryptocurrency investors with two new malware threats that scan the internet for unsuspecting victims to steal their funds. According to a recent report by anti-malware software, Malwarebytes, the MortalKombat ransomware and the GO variant of Laplas Clipper malware are being used to launch campaigns aimed at stealing cryptocurrency from victims. The phishing attack predominantly targets victims in the United States, with a smaller percentage of victims in the United Kingdom, Turkey, and the Philippines.

Cisco Talos, the company’s threat intelligence research team, has observed criminals scanning the internet for potential targets using an exposed remote desktop protocol (RDP) port 3389. The phishing email that initiates the multi-stage attack chain comes with a malicious ZIP file containing a BAT loader script that downloads another malicious ZIP file when the victim opens it. The malware inflates the victim’s device and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware.

Talos has noted that the criminals often use phishing emails impersonating CoinPayments, a legitimate global cryptocurrency payment gateway, as a vector of attack. The email appears more legitimate, with a spoofed sender, “noreply[at]CoinPayments[.]net,” and the email subject “[CoinPayments[.]net] Payment Timed Out.”

Ransomware Threats Rise while Revenue Declines

However, ransomware and cybersecurity attacks continue to rise, and victims have been increasingly unwilling to pay attackers their demands. According to a recent report by Chainalysis, ransomware revenues for attackers plummeted 40% last year. It’s worth noting that North Korean hacking groups account for a significant portion of illicit cyber activities. Recently, South Korean and US intelligence agencies warned that Pyongyang-based hackers are attempting to hit “major international institutions” with ransomware attacks. In a new phishing method, BlueNoroff, a subgroup of the North Korean state-sponsored hacking group Lazarus, is impersonating venture capitalists looking to invest in crypto startups, as revealed by Kaspersky in December 2022.