For those who engage actively with cryptocurrency yet still download torrents without a clear understanding of secure seed phrase storage, recent developments may raise concerns. A new Trojan, known as Efimer, has been identified, capable of altering cryptocurrency wallet addresses directly within the clipboard. With just a single click, funds can be redirected to the wallets of cybercriminals.
How Efimer Spreads
One of the primary vectors for Efimer’s distribution is through compromised WordPress sites. Unfortunately, WordPress remains the most popular and widely used content management system, attracting users ranging from small bloggers to large corporations. Cybercriminals exploit poorly secured websites, posting infected torrents that unsuspecting users may download.
Upon downloading a torrent from a compromised site, users receive a folder containing a file that masquerades as a movie, typically with the extension .xmpeg. This file cannot be opened without a special media player, conveniently included in the same folder. However, this so-called “player” is actually a Trojan installer.
Recently, Efimer has also been disseminated via phishing emails. Site and domain owners receive messages purportedly from lawyers demanding the removal of copyright-infringing content, with the details hidden in an attachment that contains the Trojan. Even if you do not own a website, you may still receive spam emails containing Efimer, as attackers compile email addresses from already compromised WordPress sites. Therefore, it is advisable to avoid opening attachments from such emails.
How Efimer Steals Cryptocurrency
Once Efimer infiltrates a victim’s device, one of its scripts, provided the user has administrative rights, adds itself to the exclusion list of Windows Defender’s built-in antivirus. Subsequently, the Trojan installs a Tor client to communicate with its command server.
Efimer gains access to the clipboard, searching for the seed phrase—a unique sequence of words that allows for the recovery of a cryptocurrency wallet. The Trojan captures this secret phrase and transmits it to the attackers’ server. If a cryptocurrency wallet address is also found in the clipboard, Efimer discreetly replaces it with a fraudulent one. To ensure the user remains unaware, the substituted address closely resembles the original. Consequently, cryptocurrency is stealthily transferred to the hands of cybercriminals.
The primary targets include wallets holding Bitcoin, Ethereum, Monero, Tron, and Solana; however, owners of other cryptocurrencies should not feel secure, as Efimer’s developers periodically introduce additional scripts and support for new wallets. For a deeper understanding of Efimer’s capabilities, further insights can be found in a detailed analysis by Securelist.
Who is at Risk
This Trojan targets Windows users globally, with heightened activity noted in Brazil, Russia, India, Spain, Germany, and Italy. However, the geographical scope of attacks may expand, potentially reaching users in other countries. Those particularly at risk include cryptocurrency wallet holders, WordPress site owners, and individuals who frequently download movies, games, and torrents from the internet.
How to Protect Yourself from Efimer
Efimer is a versatile threat, capable of stealing cryptocurrencies and altering wallet addresses. It poses equal danger to both individual users and organizations, with the ability to exploit WordPress sites and propagate itself. Importantly, infection can only occur if the potential victim downloads and opens a malicious file, underscoring the importance of vigilance and caution—(at the very least, avoid opening files downloaded from suspicious sources)—in combating Efimer.
Here are some recommendations for home users:
- Utilize a reliable security solution that can scan files for malware and alert you to phishing links.
- Create unique and strong passwords. Storing them in notes is not advisable; instead, use a password manager.
- Enable two-factor authentication when logging into cryptocurrency wallets and websites.
- Avoid downloading files containing movies and games from unverified sites: pirated content is often rife with various Trojans. Even if you decide to take such risks, pay attention to file extensions: a typical video file will not have an extension of .exe or .xmpeg.
- Do not store seed phrases in plain text files—trust a password manager instead. For more information on protecting your cryptocurrency, refer to additional resources.
What other threats exist in the crypto world:
