MSIL / PSW.LiteCoin.A steals funds in Litecoin system

Published on July 02, 2013

MSIL / PSW.LiteCoin.A steals funds in Litecoin system

    Today we want to talk about the recently discovered Trojan program, which is aimed at stealing funds in the Litecoin digital currency system . Litecoin is an analog of the well-known Bitcoin system with some internal changes, more about this can be found here . In fact, there is already a sufficient number of malicious programs whose purpose is user tools in the Bitcoin system. One of the latest members of this malware family is Skynet, which ESET detects as Win32 / Scoinet . A key feature of Scoinet is its use of opportunitiesTor anonymity service when creating a botnet infrastructure, which prevents them from syncing. In addition, the Scoinet malicious code uses the capabilities of another well-known banking Trojan Zeus to collect user account data, as well as the free CGMiner software for mining BitCoins .



    Our LiveGrid telemetry system shows that the Skynet botnet is still very active, besides we observed DDoS attacks coming from this botnet. Statistics show that by the end of March, botnet activity has increased. Perhaps this is somehow related to the wave of DDoS attacks that followed in April. Interestingly, Win32 / Scoinet activity was also seen in Holland.


    Fig. Win32 / Scoinet.A Activity Timeline.


    Fig. Distribution geography Win32 / Scoinet.A.

    More recently, we discovered a new Trojan program that is trying to steal virtual money in the form of an alternative digital currency called Litecoin. ESET detects this malicious code as MSIL / PSW.LiteCoin.A. In fact, his only possibility is that he sends the wallet.dat file to the FTP server of the attackers. The malicious code itself is written in C #.



    According to LiveGrid, Win32 / PSW.LiteCoin.A is not widely used at this time. At the same time, attacks on Litecoin may be in demand among attackers in the future.