Jaxx wallet phishing campaign
News | 09/17/2018

Jaxx wallet phishing campaign: Cryptocurrency Miners Swindled of Blockchain Assets

About: Cybercriminals developed a spoofed version of the official Jaxx cryptocurrency wallet website to drain user wallets. This fraudulent domain was in operation from August 19 2018 and primarily targeted Microsoft Windows and macOS users. Let us read mor...  Read More  

| News | Jaxx wallet phishing campaign: Cryptocurrency Miners Swindled of Blockchain Assets

Jaxx wallet phishing campaign aimed to drain user wallets


Cryptocurrency miners!

Are you in a state of dilemma of where to store the cryptocurrency you own? Are you wondering if the Jaxx wallet is a correct place to store the cryptocurrency you have bought?

The official Jaxx cryptocurrency wallet has enmeshed in a phishing campaign designed to drain user wallets.Jaxx wallet phishing campaign

Before we go in depth of Jaxx wallet Phishing campaign, let us get enlightened with Cryptocurrency Wallets.

Cryprocurrency wallets are necessary for trading Bitcoin, or any other digital currency. Before you consider trading in cryptocurrency, you first need to know what cryptocurrency is and how it works.

A crypto currency wallet comprises of two elements- a private key and a public address.

Private Key: In order to access your cryptocurrency wallet, a cryptocurrency holder should own a private key.  This key if fallen in wrong hands can lead to the embezzlement of your cryptocurrency wallet.

Public Address: In order to receive cryptocurrency funds, the end users are provided with public address that is generally in the form of text or a QR code.

Owning a cryptocurrency wallet leaves you responsible for the security of your own capital.

What is Jaxx Wallet?

Jaxx is a simple tool or say a cryptocurrency wallet that allows individuals and businesses to hold, control and trade blockchain assets like Bitcoin, Litecoin, Ethereum, Monero and a dozen other cryptocurrencies.

It is a popular cryptocurrency wallet owned by Canadian blockchain startup Decentral and enjoys over 1.2 million downloads on both desktop and mobile platforms.

Why Jaxx Wallet?

Jaxx wallet has many defining features. These include:

  1. It supports world’s leading cryptocurrencies and enables accessing and managing of blockchain-based assets easier.
  2. The platform is reliable, secure and under respective user’s control.
  3. Jaxx enables cross platform pairing including Mac, Windows and Linux desktops, Android and iOS mobile operating systems, and a Chrome browser extension.


Jaxx Wallet Phishing Campaign

Considering the popularity of this easy-to-use platform, threat actors designed a fraudulent version of the official Jaxx cryptocurrency wallet website that served malicious links. Click on these links directed users to servers controlled by hackers. It was a sheer trick employed by threat actors to deceive users in revealing their wallet credentials and deprive them of their blockchain assets.

The legitimate Jaxx website domain is located at jaxx.io. Scam artists leveraged this simple looking address to develop and launch a fake website with a similar name, jaxx.ws. This spoofed website used CloudFare Content Delivery Network and was a carbon copy of the legitimate Jaxx domain.Jaxx wallet phishing campaign

This fraudulent domain was in operation from August 19 2018 and primarily targeted Microsoft Windows and macOS users. The masqueraded Jaxx domain allowed the download of legitimate Jaxx wallet software. However the package came with the furtive malware payload in the form of malicious Java Archive (JAR) file and a .NET application that stealthily installed in the background.

Malicious Payload distribution – Jaxx wallet phishing campaign

The malware contained instructions for the exfiltration of all system files to a command-and-control (C2) server controlled by attackers. This included TXT, DOC and XLS files, the most likely documents for the attackers to search for cryptocurrency wallet addresses.

Malicious Payload for Windows

The malicious payload was distributed in Windows system via .ZIP archive with a malicious .NET binary.

Malicious Payload for macOS

In Mac OS it was distributed via JAR files which when executed, compiled a Russian IDE (integrated development environment) named DevelNext. This indicates that the pernicious infection was based out of Russia.

Moreover, the fraudulent site was known to be hosted by the Russian VPS (Virtual Private Server) provider hostland[.]ru.

Jaxx Wallet Phishing Campaign- Threat Behavior

When the JAR files were executed a message was displayed that informed users that a new wallet couldn’t be created due to some technical issues. The victims were then re routed to an application screen that requested users for the Jaxx wallet backup phrase, a key requirement for compromising and decrypting the wallet to access the digital funds.

The backup phrase was delivered to the attacker’s web server while the victim was displayed another error message that was a mix of Russian and English-language. The error stated that the Server was not available and that users should try again in 4 hours.Jaxx wallet phishing campaign

 In addition, the execution of the corrupt payload led to the download of additional software: KPOT Stealer and Clipper malware, both of which were based on Russian underground forums.

KPOT Stealer was designed to steal information from hard drives.

Clipper was scripted to monitor clipboard (a data buffer used for short term data storage and/or data transfer between documents or applications used by cut, copy and paste operations) for public addresses of digital wallet and to replace them with the ones controlled by the cyber maniacs.

Once culprits gained access to the user wallets, they infiltrated the malicious software in the system and stole cryptocurreny.

Mobile downloaders, however, were spared from the attack as they were diverted back to the legitimate Jaxx domain.

Soon after the fraud came to light, Cloudflare suspended its services to the spoofed website. Also, Jaxx extended it support against the fake website, to protect its customer base.

This was primarily a social engineering attack against Jaxx wallet users and did not involve vulnerability or security lapse in the Jaxx application, website or its systems.

Hits: 346

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866