Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data

Pierluigi Paganini January 25, 2018

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

SpriteCoin ransomware

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

SpriteCoin ransomware

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Spritecoin ransomware, Monero)

[adrotate banner=”5″]

[adrotate banner=”13″]


you might also like

leave a comment