Bitcoin Infostealer Falls Prey to W32.Induc.A

The case about the Bitcoin Infostealer is getting funny: we blogged about a business analysis on Bitcoin Mining, and we also blogged about malware designed to steal bitcoins from unsuspecting users (Infostealer.Coinbit).

Now we have found two more samples of Infostealer.Coinbit that are showing some evolution.

What is interesting about these new samples?

First of all they seem to be from the same author as the previous sample that we blogged about - the binary executables are very similar in structure, and they also have the same strings:

Figure 1: Old vs. new – a comparison of strings dumped from different samples

The samples have the same (or slightly different) email account information where they will submit the stolen bitcoin ewallets.

Second, they show some familiar data:

Figure 2: Part of the infection code of W32.Induc.A

Do you recognize this piece of code? We have already seen it in W32.Induc.A! It is a worm that infects Delphi source code files (not executable binaries), so this means that the author of Infostealer.Coinbit was himself infected with W32.Induc.A. When he compiled the Delphi executable of the Infostealer, the Induc infection code was also included in it (note that the original sample that we blogged about was not infected by Induc).

Interestingly, we have found all these samples (infected and clean) through Virus Total, and all of them were submitted to Virus Total on the same day (June 15), which according to the bitcoin forum is the day the Infostealer began to spread.

One possible explanation could be that the author developed the Infostealer without knowing he was infected by Induc, then when he submitted it to Virus Total (to check for potential AV detections) he realized his computer was infected and cleaned it, leading to the final binary that was not infected by Induc and that was released in the wild. It may also be possible that the source code was in the possession of different people (some infected, some not). These are just theories of course; we don’t know what really happened.

Furthermore, the account passwords are left in the Infostealer executable in cleartext, ready for anyone to sniff them, and maybe this is why in one sample we can find a message from the author:

Figure 3: I think this roughly translates to “If you are looking for it, stop and go mine your bitcoins, or else I may get you the next time”

This message maybe the result of the author previously having his account hacked and his data stolen. Despite the author’s menace, forum users on may have already tracked him down, as is suggested in this forum posting.

All these samples are detected by our latest definitions, so we advise our customers to keep their AV definitions up-to-date, and to take precautions when managing bitcoin data.

Thanks to Peter Coogan for his input on this blog.