A fake update to Blockchain Security is currently landing in inboxes and hoping to get unwary users to install the Dark Comet RAT. It opens by telling the user that a new authentication process is in place and closes with a link to click on. It seeks to persuade people to trust it by saying: “As of today, a new authentication process will be in place. We value all of our customers and it’s our top priority to keep you and your bitcoins safe.”
So far, so good. However, the email then says: “Remove anti-virus, ignore pop-ups & malware If you’re seeing some of these problems with Chrome, you might have unwanted software or malware installed on your computer which will seems like but ignore you are safe. Pop-up ads and new tabs that won’t go away Your Chrome homepage or search engine keeps changing without your permission, you are still safe. Alerts about a virus or an infected device it doesn’t matter, you are safe.”
There are so many ways in which this should have users reaching for the delete button. The bad formatting and the poor English are just two. Just in case they aren’t so obvious, what about that request you remove all the security software. Perhaps the greatest claim here is the last sentence. After all, why should anyone worry about alerts over a virus?
Is there gold at the end of the rainbow?
The email finishes with a promise of gold at the end of the rainbow. It says: “An amount of crypto-currency a miner receives for processing transactions in a given block. Because creating (or “mining”) blocks is so crucial to the security of the Bitcoin network and yet so hard, the Bitcoin protocol includes a mechanism to encourage people to mine: every time a block is added, the miner who found the block is given 1.5 BTC (this number will change at the next halving in 2020) as a block reward.”
But there is a real kick in the pants here. Below the email is the request that the user: “kindly install block link”. The link below this is where things get bad.
Any user clicking on the link will find an installer window open. No matter what the user does now, Dark Comet will be installed on the computer.
Dark Comet RAT – a nasty surprise
Dark Comet RAT has been around for a number of years. Back in 2012, the original developer claimed to have stopped supporting it. Since then, there has been a number of unofficial versions of Dark Comet. These have been identified with a several attackers and hacking groups from North Korea and led to last years arrest of a hacker in Ukraine.
Dark Comet steals user data, captures keystrokes and screenshots. This helps hackers attack bank accounts and steal user credentials. It can also be used to delete software and alter the underlying OS. Like all RATs it is also a gateway allowing the attacker to install malware on a users computer.
Enterprise Times: What does it mean
This is probably one of the most blatant attempts to get users to install malware we have ever seen. There is no real attempt at subterfuge. Any email that wants security software to be disabled has to be a red flag.
What is hard to understand is how the attacker expects anyone to click on the link.