The official Jaxx cryptocurrency wallet has become embroiled at the center of an elaborate phishing scheme designed to drain user wallets.
The legitimate Jaxx Liberty domain is located at jaxx .io. Unfortunately, scam artists recently saw an opportunity for criminal gain due to the simple address and launched a website with a similar name, jaxx .ws.
According to Flashpoint researchers, the spoofed domain served a number of custom and commodity malware payloads with the end goal of stealing wallet credentials and emptying accounts of cryptocurrency.
The Jaxx cryptocurrency wallet supports Bitcoin (BTC), Ethereum (ETH), and over a dozen alt-coins. The wallet has been downloaded over 1.2 million times, which is a wide pool of victims for threat actors seeking to exploit the popularity of the software.
While it remains unknown how victims were lured to the fake website -- whether by search engine poisoning or phishing emails -- the spoofed website, which was using Cloudflare's content delivery network, was a "line-by-line" carbon copy of the true Jaxx domain.
However, the fake domain included altered download links which redirected victims to a server controlled by the attackers.
"It should be noted that this is primarily a social engineering attack and does not involve a vulnerability in the Jaxx application, website, or other domains owned by Decentral, a Canadian blockchain startup, that provides Jaxx," the researchers said.
The fraudulent domain, which appears to have been in operation from August 19, was used to primarily target Microsoft Windows and macOS users.
The fraudsters went so far as to ensure the legitimate Jaxx wallet software would be downloaded and installed from the fake website -- but the package came with a covert malware payload.
When macOS users downloaded wallet software from the malicious domain, the package included a custom, malicious Java Archive (JAR) file and a .NET application which contained the instructions for the exfiltration of all desktop files to the cyberattacker's command-and-control (C2) server.
In addition, the payload would execute the download of additional software in the form of KPOT Stealer and Clipper malware, both of which are found in Russian language-based underground forums.
KPOT is used to steal information from hard drives, while Clipper monitors system clipboards for wallet addresses. In the latter case, if wallet addresses are found, they are swapped out for addresses controlled by the attackers.
"By changing these addresses in the clipboard, victims may not notice the modified recipient after copying and pasting these long alphanumeric addresses while sending payments," Flashpoint says.
When the Jar file is executed -- which is compiled in a Russian language IDE called DevelNext, suggesting a link to the country -- victims will see a message in both Russian and English, which says, "Temporarily due to technical problems on the server, you cannot create a new wallet."
The victim is then routed to a screen which requests their Jaxx wallet backup phrase, a key requirement for compromising wallet software and decryption. This phrase is then whisked away to the C2 server and the victim is given another error message.
Windows victims are given a .ZIP archive with a malicious .NET binary that downloads the same malicious payloads. Mobile downloaders, however, were spared compromise and would be diverted back to the legitimate Jaxx domain.
Armed with the key to user wallets, the threat actors would be able to infiltrate the software and steal cryptocurrency. However, it is not known how many victims could have fallen prey to the phishing scheme while it was active.
Jaxx support teams were notified by Flashpoint of the phishing campaign and Cloudflare has also suspended services to the fraudulent domain.
"This malware campaign indicates that cybercriminals may go to great lengths to socially engineer an organization's customers into installing malware to ultimately steal digital currency," Flashpoint says. "It's likely cybercriminals will continue to leverage commodity malware kits offered for sale in underground hacking forums to steal credentials and/or digital currency from victims. "
Update 6.50 BST: A Decentral spokesperson told ZDNet:
"We recently learned someone had registered the domain name Jaxx.ws, and copied the content of our site to it. This is a classic phishing typosquat tactic, and Decentral handled it in the usual way.
We filed multiple infringement and takedown reports with Cloudflare, the site's California-based distributor; with Hostland, which we determined was the site's Russia-based host; and, for good measure, with Namesilo, the registrar that procured Jaxx.WS domain for them.
Our work on this particular phish continues at the domain-name level. But we're pleased that the site was taken down - especially because the phish tried to take advantage of our major update to Jaxx, called Jaxx Liberty.
It's worth noting that the phishing attempt wasn't based on any vulnerability in Jaxx or in Jaxx Liberty. It was a mechanical typosquat that hoped to pull in casual Web surfers who might be looking for Jaxx or Jaxx Liberty, and redirect them to the wrong website.
Phishing poses a challenge for the whole community, and we strongly encourage community cooperation around its analysis, remediation, and prevention."
Decentral is not aware of any cases of users being taken in by the phishing attempt.
Cloudflare told ZDNet, "When we were made aware of what we determined to be a website intentionally distributing malware we took action against that website."