Trend Micro reveals new malware targeting crypto wallets on Windows

A new strain of info stealer Phemedrone Stealer appears to be targeting crypto wallets and messaging apps, analysts say.

Cybersecurity firm Trend Micro recently uncovered a previously unknown malware strain, which was exploiting a now-patched security flaw in Microsoft Windows. According to a report from the Texas-headquartered firm, Phemedrone Stealer focuses on web browsers and extracts data from crypto wallets, along with information from messaging apps like Telegram, Steam, and Discord.

Additionally, the malware goes beyond data theft by capturing screenshots and collecting system information, including details about hardware, location, and operating systems, say cybersecurity experts.

The stolen data is typically transmitted to the attackers through Telegram or a command-and-control (C&C) server. According to Trend Micro, the vulnerability arises from the lack of checks on Microsoft Defender and associated prompts on Internet Shortcut (.url) files. Threat actors exploit this vulnerability by creating .url files that download and execute malicious scripts, evading Windows Defender SmartScreen warnings and checks.

Despite the patch, Trend Micro notes that an increasing number of malware campaigns, including those distributing the Phemedrone Stealer payload, have incorporated this security gap into their attack chains. The scale of stolen crypto or private data due to Phemedrone Stealer remains unclear.

According to De.Fi’s REKT database, 2023 witnessed at least 455 incidents, with the largest hack amounting to $231 million, attributed to Multichain. Despite the alarming $2 billion total, the efforts of cybersecurity experts and white hat hackers led to the recovery of approximately $200 million from the overall sum, analysts say.