For folks in a mad rush to finally start cashing in on cryptocurrencies, beware SpriteCoin! The only people making money from SpriteCoin are the cyberthugs using ransomware to lock up the PCs of folks who fell for the promise that it was “sure to be a profitable coin.”
If thinking you would be making money and instead owing money to unlock an encrypted computer is not bad enough, then behold the double whammy. Victims who coughed up the Monero payment demanded in the ransom note to decrypt data are not given a decryption key. Instead, “another piece of malware is deployed with capabilities including certificate harvesting, image parsing and web camera activation,” researchers at Fortinet FortiGuard Labs warned.
SpriteCoin not real cryptocurrency, just a hacker scam
The researchers say SpriteCoin “is not really a true cryptocurrency, but is one that was created for this specific attack.” In this case, “the allure of quick wealth through cryptocurrency seems to be enough to trick unsuspecting users to rush toward the wallet app du jour without consideration.”
SpriteCoin is being advertised on online forums using cryptocurrency-themed spam. The home page for the supposed cryptocurrency states:
Victims who think that sounds good download and run the executable, then they are asked to enter a wallet password. After setting up a password, the “syncing” step claims to be downloading the blockchain. In reality, an encryption routine is running, and the victim’s Chrome and Firefox credentials are being sent to the attackers’ website.
Fortinet explained, “Once the user’s files have been encrypted (or when the user attempts to access an encrypted file) the ransom note is generated and displayed in a browser window informing the victim and offering decryption for a ransom fee.”
The ransom demanded is .3 Monero. At the time of writing, 0.3 Monero was equal to $97.
Paying the ransom will not release your computer
While not everyone will bow to the extortion and pay the ransom for a decryption key, those who do are in for another nasty surprise. Instead of being delivered the supposed key to decrypt files, the payload is a secondary malicious program identified as W32/Generic!tr.
Although the researchers have not fully analyzed the malware, they “can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”
“In this instance, it seems like the intent was not just about money,” FortiGuard Labs senior security researcher Tony Giandomenico told ZDNet. “What we infer is that the intent is not about the amount of money, but possibly about proof of concept or testing new delivery mechanisms, and to see how many people would fall for it. This is very similar to when attackers would test to see how effective or fast a worm would spread before really launching it. This could be the same concept.”