New Malware Spotted in the Wild That Puts Cryptocurrency Wallets at Risk

Using forked code from Loki malware, Anubis can steal cryptocurrency wallet IDs, system info, credit card details and other information.

AccessTimeIconSep 1, 2020 at 4:21 p.m. UTC
Updated Sep 14, 2021 at 9:50 a.m. UTC

The Takeaway:

  • Anubis is a new malware that can target cryptocurrency wallets and other sensitive data. It first became available for sale in darkweb markets in June, and Microsoft has now seen limited attack campaigns using it.
  • Experts recommend not visiting sketchy websites or opening strange or suspicious attachments, links or emails.
  • Increasing interest cryptocurrencies, such as we’ve seen in recent months, usually sparks interest in new users who can be particularly susceptible to these kinds of attacks. 

A new form of malware called Anubis is now out in the world after being circulated for sale on cybercrime dark markets in June, according to Microsoft Security Intelligence. Using forked code from Loki malware, Anubis can steal cryptocurrency wallet IDs, system info, credit card information and other data. 

Importantly, this malware is distinct from a family of Android banking malware also called Anubis.  It joins a growing list of malwares that look for vulnerable cryptocurrency stashes. 

“The malware is downloaded from certain websites. It steals information and sends stolen information to a C2 (command and control) server via an HTTP POST command,” said Tanmay Ganacharya, partner director of security research at Microsoft. 

HTTP Post is basically a data request from the internet. It is also used when you’re uploading a file or submitting a completed web form. 

“When successfully  executed it attempts to steal information and sends stolen information to a C2 server via HTTP POST command,” he said. “The post command sends back sensitive information that may include username and passwords, such as credentials saved in browsers, credit card information and cryptocurrency wallet IDs.”

Avoiding Anubis: What we know

Parham Eftekhari, executive director of the Cybersecurity Collaborative, a forum for security professionals, reviewed the images of code tweeted out by Microsoft and said not much information about the Windows Anubis malware has been released. 

But the Loki bot (from which the Anubis code was taken) was spread via social engineering emails with attachments with “.iso” extensions. These messages masqueraded as orders and offers from other companies and were sent to publicly available company email addresses, sometimes from a company’s own site. 

When it comes to avoiding Anubis, Eftekhari said people should not open any attachments or emails that they are not expecting or that seem unfamiliar. 

“They should deploy antimalware applications on their systems and scan and update frequently,” he said. “Finally, when accessing sensitive accounts such as banking applications, they should employ secure or privacy browsers which may prevent malware from recording keystrokes or screenshots.”

Ganacharya said that like many threats, this new malware tries to stay under the radar, so it doesn’t have obvious visual clues. Users can check for the presence of suspicious files and running processes (for example, ASteal.exe, Anubis Stealer.exe) as well as suspicious network traffic. 

For its part, Microsoft has updated its Defender Advanced Threat Protection (Microsoft Defender ATP) to detect Anubis malware and will be monitoring it to see if campaigns begin to spread. Microsoft Defender ATP uses AI-powered cloud-delivered protection to defend against new and unknown threats in real time

Other users should be wary of visiting unknown or suspicious websites, or opening suspicious emails, attachments and URLs, Ganacharya said. Additionally, users can turn on unwanted app blocking in Microsoft Edge to get protection against cryptocurrency miners and other software that can affect the performance of devices.

But for security professionals there are telltale signs when analyzing a system. One of these are indicators of compromise, which are indicators a system has been breached. These can include unusual outbound network traffic or unusual activity on an account.

Malware and cryptocurrency

While malware, or software designed to be malicious, isn’t new it’s increasingly being brought to bear on the cryptocurrency community. 

“Over the past three years we have been seeing an increased number of malwares that target user computers that, aside from trying to record/steal passwords, are specialized in harvesting the victim’s system for cryptocurrencies,” said Paolo Ardoino, CTO of Bitfinex. 

Ardoino said tech-savvy holders of cryptocurrency usually use a hardware wallet and store their seed (the information that generates and recovers a wallet) offline. Less-experienced users, though, due to the fear of losing the seed for their wallet, might keep it stored on their computer. Malware is then able to access the password manager or other online storage site while the user is accessing it, and copy and paste passwords.

Another attack that malware can execute, according to Ardoino, is seeing if the computer runs a blockchain node that has an unprotected wallet file. Even if that wallet file has a password, if the malware involves a keystroke recorder (or keylogger) it can capture whatever a user on the computer types. 

He said there are many nuances, but as cryptocurrency gets closer to mass adoption, sloppy custodial practices could make people’s cryptocurrency wallets easier to target than banks or even credit cards. 

Upticks in bitcoin (BTC) and ether (ETH), like those we’ve seen in recent months, could spark interest in new users who can be particularly susceptible to these kinds of attacks. 

Pandemic poses new vulnerabilities

The threat of malware has only increased as people have been pushed toward working and living remotely during the coronavirus pandemic, increasing the amount of time they spend online and the number of systems they use. 

According to a recent report from Malwarebytes, a company specializing in combating malware, programs such as AveMaria and NetWiredRC, which allow for breaches like remote desktop access and password theft, have seen huge increases in use during the pandemic. They found AveMaria saw a bump of 1,219% from January to April compared to 2019;  NetWiredRC observed a 99% increase in detections from January to June, primarily targeting businesses. 

Is the obvious defense the best defense?

Paul Walsh, CEO of the cybersecurity company MetaCert, said that given the attack vectors identified, traditional models for identifying and protecting against these attacks are misguided. 

The vast majority of malware is delivered via email phishing and malicious URLs, which outnumber dangerous attachments (like Anubis) five to one, according to Walsh.  

“Most security issues that involve dangerous URLs go undetected and, therefore, [are] not blocked” he said. 

There are thousands of security vendors in the world, but only a small number own their own “threat intelligence systems” – a fancy term for a big database of threats and potential threats. Those companies license that data to other companies. While Walsh’s company Metacert has a threat intelligence system, they might have URLs that Google, for example, won’t. It’s a patchwork solution at best. 

And if people are tailoring spear-phishing attacks for a specific company, the damage is usually done quite quickly, before a security database or firm might be aware a tailored website exists. 

The lifespan, or the time frame within which a phishing attack has accomplished its goal, is about seven minutes, said Walsh. But security companies may take up to two or three days to identify and vet new phishing attacks, particularly if they are tailored for a company or individual. 

Walsh says strong passwords and two-factor authentication are important. Yubikey, essentially a hardware version of two-factor authentication, is one step up, but it’s not supported by all websites. 


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.