Author(s): Vlad Pasca
Executive Summary
Threat actor distributes malicious cryptocurrency wallets (Anchor, Zec, Iota, Onto, Dark, and Stellar) as oversized Advanced Installer packages exceeding 600MB to evade detection.
Attacker-controlled domains achieve first page search engine rankings for targeted wallet names, intercepting users searching for legitimate cryptocurrency wallets.
The campaign exhibits cross-platform targeting with Windows, Linux, and macOS variants, though Linux and macOS versions of certain wallets remain non-malicious in some instances.
Initial executable files are signed with valid code signing certificates to establish false legitimacy and bypass security controls.
The campaign's objective is deploying Remote Utilities (RuRAT) remote management tool to establish persistent access on compromised systems.
Low-confidence attribution to a Russian-aligned threat actor based on Remote Utilities binary hash correlation with Ukraine CERT-UA report 5961 and Russian-language strings identified in analyzed samples.
Domain registration timelines demonstrate the campaign's extended operational lifespan, spanning multiple years from initial infrastructure establishment to ongoing activity.
Timeline of distribution domains registration
The infection vector utilizes Advanced Installer executables containing batch scripts that orchestrate the download and execution of MSI files from threat actor infrastructure. This layered deployment mechanism culminates in the installation of Remote Utilities (RuRAT) for persistent remote access. Persistence is achieved by creating multiple scheduled tasks on the infected host.
RuRAT (RMS) is a legitimate Russian-made remote management utility that is publicly available for trial and purchase. The tool offers a full suite of features that allows the threat actors to deploy additional malware, exfiltrate data, and perform other activities.
The following fake crypto wallets were created and distributed by the threat actor:
A Deeper Dive
We analyzed the 600MB+ null-padded Advanced Installer package that can be downloaded from the fake cryptocurrency wallet domain anchorwallet[.]org (SHA256: 553e3f0483580289f64e55d6646be3c4b530fe275519e510f659460d3bacfa08). This impersonates the legitimate Anchor Wallet that can be downloaded from greymass[.]com/anchor#download (Windows, Linux, and macOS versions).
The hash of the fake Anchor Wallet is displayed on the downloading page, however, the Windows hash is different from the real hash of the file downloaded from the domain. The Linux and macOS hashes are the same as that of the legitimate Anchor Wallet.
Figure 1 - Download page of anchorwallet[.]org
All versions of the fake DarkWallet from darkwallet[.]is are malicious. The Linux and macOS installers are Electron-based and drop an infostealer.
Figure 2 - Download page of darkwallet[.]is
The Python script can be used to extract the embedded files from Advanced Installer executables in most cases. The extracted file called “Anchors.ini” contains an MSI file that will be downloaded from zorvexion24[.]com/file/install.msi. Similar “.ini” files can be extracted from all Advanced Installer executables representing the other fake wallets.
The batch file “1display.bat” hides the notification area by setting the “NoTrayItemsDisplay” registry value to 1. It also kills the explorer.exe process using PowerShell:
Figure 3 - 1display.bat
The file named “3.1setuphd.bat” creates a PowerShell script called “hd.ps1” in the “C:\Users\Public” directory. The purpose of the newly created script is to verify whether Task Manager is running and kills two processes called “rutserv” and “rfusclient”. We’ll see during the analysis that these two files are RMM tools that are installed by the malicious process.
Figure 4 - 3.1setuphd.bat
The malware adds the “System” and “Hidden” flags to multiple files and directories that are created during the malicious activity. It also modifies the “ShowSuperHidden” registry value to 2 and hides the installed application from Control Panel (Figure 5).
Figure 5 - 4h.bat
Files “6last.bat” and “9last.bat” are identical and set the same flags to a new directory called “Remote Utilities” from the “ProgramData” folder:
Figure 6 - 6last.bat
Using the “7SecurityCenter.bat” script, the malware creates a batch script in the Startup folder that restarts the explorer process.
Figure 7 - 7SecurityCenter.bat
The batch file “8display2.bat” shows the notification area by setting the “NoTrayItemsDisplay” registry value to 0:
Figure 8 - 8display2.bat
The malicious binary uses the “10setup2.bat” script to download multiple files. It downloads and executes an MSI file called “s.msi”, and two RMM files called “ruliserv.exe” and “rustclient.exe” that are saved in the “C:\Program Files (x86)\Remote Utilities – Host” directory.
Figure 9 - 10setup2.bat
The installer creates multiple XML files corresponding to scheduled tasks that are created: \Update, \Startup, \Hd, and \Started (see Figure 10).
Figure 10 - Setup3.bat
The interface of the fake APT wallet is displayed in Figure 11.
Figure 11 - Fake APT Wallet interface
The Linux and macOS versions of the Idex Wallet are not malicious and were built using Electron-Vite. We can identify the username “junki” and the Russian word “Робочий стіл” (Workstation) in the config file of the applications.
Figure 12 - Config file contains words in Russian
The hashes of “rfusclient.exe” (SHA256: 02003563373af3215195ca0c23af03f845921fcfa31f58770927266b03c2ac40) and “rutserv.exe” (SHA256: f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5) can be found in the Ukraine CERT-UA report 5961 and were attributed to UAC-0096 (Russian-aligned threat actor). While the samples correlate with UAC-0096 activity documented in the 2023 CERT-UA report, this connection does not extend to all Remote Utilities deployments observed in the campaign. Moreover, other technical indicators were insufficient to confirm Russian threat actor involvement.
Basically, the threat actor deploys the legitimate RMM (Remote Monitoring and Management) tool called Remote Utilities (RuRAT) to the infected machines.
The Dark Wallet macOS version functions as a stealer that extracts information such as crypto wallets, browser cookies, passwords, a screenshot of the machine, FTP configs, SSH keys, and the clipboard’s content. The stolen data is exfiltrated to the haramejr3n[.]pw domain. The same stealer is implemented by the fake Electrum Doge wallet downloaded from electrum-dogecoin[.]org.
Figure 13 - Fake wallet extracts information to be exfiltrated to the C2 server
Mapping the Infrastructure
The threat actor registered domains for fake crypto wallets that look like legitimate crypto wallets such as Anchor and Zec Wallets (Windows, Linux, and macOS versions), Iota and Onto Wallets (Google Chrome extensions), a defunct wallet called Dark Wallet, and others.
Code Signing Certificates
The initial Advanced Installer packages and downloaded files were signed with valid certificates:
Indicators of Compromise
C2 domains
haramejr3n[.]pw
electrum-doge[.]online
Github repository
github[.]com/hachshiba/electrum-doge
Distribution Domains
Malicious domains hosting installers/additional malicious files
SHA256