A Rising Threat: The Efimer Malware Campaign Targeting Cryptocurrency Users
A sophisticated malware campaign known as “Efimer” has surfaced as a formidable threat to cryptocurrency aficionados around the globe. This nefarious operation utilizes a multi-faceted strategy that includes compromised WordPress websites, malicious torrent files, and cunning email scams.
Initially identified in October 2024, Efimer — a variant reminiscent of the ClipBanker Trojan — has progressed from a rudimentary cryptocurrency theft tool to a comprehensive malevolent infrastructure that facilitates self-propagation and widespread distribution.
The malware’s nomenclature is derived from an annotation discovered within its decrypted scripting, emphasizing its primary focus: the theft of cryptocurrencies through clipboard manipulation.
When users copy cryptocurrency wallet addresses, Efimer stealthily substitutes them with addresses controlled by the attackers, effectively hijacking the intended transactions.
Extending beyond its fundamental function, the malware exhibits an impressive adaptability by incorporating supplementary modules for compromising WordPress sites, harvesting email addresses, and disseminating spam content.
Securelist analysts report that Efimer has affected over 5,000 users across various nations, with Brazil experiencing the highest concentration of attacks — 1,476 users being targeted.
The malware’s influence is felt across countries, including India, Spain, Russia, Italy, and Germany, highlighting its global reach and posing a significant threat to security.
What sets Efimer apart from traditional malware is its capability to establish an extensive malicious ecosystem, enabling prolonged attacks and a continuous increase in its victim base.
The tactics employed in these attacks display a high degree of sophistication, utilizing social engineering techniques that include email campaigns impersonating legal representatives from reputable firms. These communications falsely assert trademark infringement related to domain names, threatening legal ramifications unless the recipients promptly alter their domain names.
Such emails contain password-protected ZIP files titled “Demand_984175.zip,” which house malicious WSF files.
Simultaneously, the attackers compromise WordPress sites to host counterfeit torrent files, particularly targeting popular cinematic releases such as “Sinners 2025,” which contain executable files disguised as media player applications.
Technical Infection Mechanism and Persistence
The infection commences when victims execute the compromised WSF or EXE files, initiating a complex, multi-layered deployment process.
Upon execution, Efimer first verifies administrator privileges by attempting to write to a temporary file located at:
C:\Windows\System32\wsf_admin_test.tmp.
If successful, the malware proceeds to create exclusions within Windows Defender for the C:\Users\Public\controller folder and critical system processes, including cmd.exe and the WSF script itself.
Depending on user permissions, the malware employs various methods to establish persistence. Privileged users encounter a scheduled task created via a controller.xml configuration file, while others receive registry entries in:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\controller.
The core payload, identified as controller.js, acts as the principal Trojan component. It continuously monitors clipboard contents, employing advanced evasion techniques such as immediate termination if Task Manager is detected in operation.
Efimer’s communication framework relies on the Tor network, retrieving the Tor proxy service from several hardcoded URLs hosted on compromised WordPress sites.
The malware generates distinct GUIDs following the “vs1a-” format for victim identification and establishes communication with command-and-control servers at 30-minute intervals to evade detection while ensuring continuous connectivity.
Equip your Security Operations Center (SOC) with complete access to the latest threat data from ANY.RUN TI Lookup to enhance incident response capabilities —> Obtain a 14-day Free Trial.
Source link: Cybersecuritynews.com.
