Connect with us


Razy Trojan Attacks CryptoCurrency Space





Kaspersky Lab has recently discovered a new ‘Razy’ Trojan which, they said spoofed search results and targeted browser extensions with an aim of attacking cryptocurrency wallets. It would find a malicious program known as Trojan.Win32.Razy.gen in an executable file which would further spread via advertising blocks on websites and would be distributed from free file-hosting services under a disguise of legitimate software. It would mainly indulge in the theft of cryptocurrency.

Razy Trojan has been said to be looking out for addresses of cryptocurrency wallets on websites and would be replaced by a threat actor’s wallet address, spoof images of QR codes that would point to wallets, modify the web pages of cryptocurrency exchanges, as well as spoof Google and Yandex search results.

Kaspersky claimed that Razy could potentially infect extensions of Google Chrome, Mozilla Firefox, and Yandex Browser, but it has different infection scenarios for every browser type. For example, in Firefox, the Trojan installed an extension named ‘Firefox Protection,’ whereas on the Yandex browser it installed the extension called Yandex Protect, and in Chrome, Razy modified the contents of the Chrome Media Router extension folder. 

The Razy Trojan has been spoofing search results by showing fake links which have been added to pages when the search request would be connected to cryptocurrencies and cryptocurrency exchanges, or even music downloading and torrents. When the user’s system is infected, the Trojan will add a banner that would contain a request to donate a small amount to support Wikipedia, when the user visits the site. The cybercriminals’ wallet addresses will eventually be used instead of the bank details. The original Wikipedia banner that has been asking for donations (if present) would be then deleted. Kaspersky noted that when the user visited the webpage, they would see an offer to buy Telegram tokens at an incredibly low price.

On similar lines, when users visited the pages of Russian social network Vkontakte (VK), the Trojan added an advertising banner to it. If the user clicked on the banner, it would be redirected to phishing resources (which were located on the domain ooo-ooo[.]info), where they would be prompted to pay a small sum of money that would make loads of money later on.

Kaspersky has listed the wallet addresses which have been detected during the analysed scripts, so that users could be more aware:

  • Bitcoin: ‘1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L’, ‘1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq’, ‘3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY’, ‘1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj’, ’35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC’, ’34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ’.
  • Ethereum: ’33a7305aE6B77f3810364e89821E9B22e6a22d43′, ‘2571B96E2d75b7EC617Fdd83b9e85370E833b3b1′, ’78f7cb5D4750557656f5220A86Bc4FD2C85Ed9a3’.

The report suggested that the total incoming transactions on these wallets amounted to approximately 0.14 BTC plus 25 ETH.

Please follow and like us:
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *