CoinLurker: The Stealer Powering the Next Generation of Fake Updates
Dec. 17, 2024, 10:06 a.m.
Tags
External References
Description
CoinLurker is a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, it employs advanced obfuscation and anti-analysis techniques, making it highly effective in modern cyberattacks. The malware is delivered through fake update campaigns, leveraging deceptive entry points that exploit user trust. It uses Microsoft Edge Webview2 as a stager and employs a multi-stage chain involving Binance Smart Contracts and Bitbucket repositories to conceal its payload. CoinLurker targets cryptocurrency wallets and financial applications, systematically enumerating directories to access sensitive user data. Its layered injection tactics and obfuscated functions make it challenging for analysts to reverse-engineer its logic.
Date
Published: Dec. 17, 2024, 9:57 a.m.
Created: Dec. 17, 2024, 9:57 a.m.
Modified: Dec. 17, 2024, 10:06 a.m.
Indicators
fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6
f79c62b820420bda78252197db842eabe63261a4e80fbdcec8d671ce3d0a43ef
c8adb9bf6997a9fa2738a09600a60abc4fb6334aa54b24166cf042afdc5a1064
cc2f65faf61154815b4fa151d9a27c01a160d7d46398c7e44169949a61c63c2b
c643c087c68e51dfe422ddb48614675ab8e6aaecbe5704759c9978ac22b15f83
be5e250168d37e7a9a4999d41a77cde19a6ac376a391f602b3496ace307ad0e8
b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa
a7eca930c2aa851cae3475cb4f5d599058816d51e1cc55a82ae976a030794aac
a12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14
a612bca9b5cbda864f4b808992de3d616c67b9120d8b24cbfa8a836ccdde9142
a3c7b289054635f5239d453fb4be718298037ea6c1f4bf16954af1e9da2a53e2
9c0c9945f81977269542f941c10fa28dbefe91078b6df68e97d61b58318cac9a
9a036f20d758107d9434bd3bed682ff7d81393dc9d49fd6fe70d4b549045eaa2
9ea70e081c13c4b0e30b43dd68a6a0e0cfb6926c990bbe8ddedd8d9693c953d6
93cc9759d86f8b087b71583f577a5534e975ce9ac19ec3ec140efa6bbfad6bd0
9374e1561a87a23b12ec586859661241b2eb5da822c0b4b874cdf9eda480363f
9116c7878f51e6d8173d41a5a0e63ca16105dac954afedeaf1d5e06594cc4d41
8d61f5b56f05daeef394dbc434abb96c1388aca8406e02445a72db1a65b9da3d
82cc0f3f4aa70a8215b62db7ee9deac1c3d4dd27cde25cf56ec2f82ca7d146a9
8119a59487c6ffe5382c03e3de8c70b2c2e26899b51dcc4794066a8e1f358bcb
80b2950f1249d439105eac421660ddd15caab6de6afce3511f945deef1c0dd21
6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de
7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899
487156ae20cc6d8e7d922cebe35b197c28ae43134f7e04c5f6bd0f3e164a7120
44521e1af289aa3473d7445d097766f1c3f3d8721d14b14ed6d5404994a03eb2
397a0f6515a81f307b5289ff3e939a0e01a6c1a0f0515be9844ddc9c6031ad97
324e1bf24f13d5a8f45cc5ee25d3dfe330a7e755b19901549976f2db02ca4fa4
2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe
3048030c0e3ff5e6e45bbb37e75d6e55fde8d77a928958dc34497177e077b69a
269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d
2181c60e8727d5cfe7e713aa9731018168660ad2c96f31b08a729d1503dfc19a
2198912e1a1f4a5b5f0dfe237b75d264c9be0b5b6f98f83a999117dd194e842c
1f4624c44288f77327ec2e8d260399559b81c7cae442c31311736c2a2ec5f399
18f882b6c16641be3899f4e5123d10bb5c448ac7b7dafe7adb6144176acae304
162e4277a4cb2e3703df74529d83d47b66a5b46b0a93b3ac902b56da3e588fe9
15be79b09fa5efe3ca3440a94e436124d97232436af91f64917b7095b559a210
11cefe96966858c237a3aff132e5c54d0d1bcd343a23b23fcc24735bcefc811c
0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21
0b420a565e5e6f6899ebcb1da2fc162b05f5a8b7bfe0f56f52a085f17abb253d
http://test-1627838.shop/endpoint
http://smkn1leuwimunding.com/Updating.zip
http://smolcatkgi.shop/endpoint
http://peskpdfgif.shop/endpoint
http://md928zs.shop/endpoint
http://ndas8m92.shop/endpoint
http://dais7nsa.shop/endpoint
http://ajsdiaolke.shop/endpoint
zovik.info
paveldurov.sbs
analfucker.lol
Attack Patterns
CoinLurker
CoinLurker
T1553.002
T1012
T1573
T1547
T1083
T1071
T1102
T1055
T1036
T1204
T1140
T1027
T1056
T1059
Additional Informations
Finance