Mt. Gox hackers hide malware in data dump


Hackers who infiltrated and commandeered systems belonging to Mark Karpeles, CEO of bitcoin exchange Mt. Gox, hid bitcoin-stealing malware in documents about missing bitcoins many Gox users felt compelled to download, according to researchers at Kapersky Lab.

Propagators of the cyberattack that opened the doors to Karpeles' company played Robin Hood in their statement released through the CEO's own blog. "Repost and share this info before it's gone," the statement reads. "Lots of people, including us, lost money and coins. Upvote this post. We stole no bitcoins. There were none to steal."

However, the hackers failed to mention that alongside the data they had supposedly plucked from Mt. Gox were "malware programs designed to search and steal Bitcoin wallet files from computers" according to a CSO report based on a blog from Kapersky security researcher Sergey Lozhkin.

According to the CSO article, both the Windows and Mac versions of the malicious program portray themselves as normal processes.

"When executed, they display a graphical interface for what appears to be a Mt. Gox database access tool," the article states. "However, in the background they launch a process--TibanneSocket.exe on Windows--that searches for bitcoin.conf and wallet.dat files on the user's computer, according to Lohzkin."

The malware would then send the bitcoins along to a remote server in Bulgaria, which has since been shut down. Lohzkin said hackers often use popular issues and social movements to further distribute predatory programs.

"It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people's keen interest in the Mt. Gox topic," Lozhkin said in his blog.

For more:
- read the CSO article
- read Lozhkin's blog

Related Articles:
Hacked documents cast suspicion on Mt. Gox CEO Karpeles
7 deadly sins: The most dangerous new attack techniques for 2014
vBulletin admits network was breached, personal information of users stolen