AhnLab Security Center


When Being Diligent Isn’t Always Good: Fake Windows Update Steals Bitcoins


With recent increases in the value of virtual currencies worldwide, such as bitcoins, there has been a spate of malware targeting such virtual currencies. Indeed, a recently discovered malware, disguised as a Windows Update notification as shown in Figure 1, spread as a spam email with the purpose of extorting bitcoins from unsuspecting victims.


[Figure. 1] A spam email disguised as a Windows update

When a recipient opens this email and runs the .exe file attachment to diligently update the system, the malicious file created with .net framework modifies the registry and downloads the malware from the C&C server.


[Figure. 2] Additionally downloaded malware

The downloaded malware finds the path of the bitcoins within the infected computer and then sends the bitcoin wallet information to the attacker through the C&C server as shown in Figure 3.


[Figure. 3] Bitcoin wallet sent to a C&C server

The attacker who designed this malware exploited the fact that bitcoins are generally saved in the %appdata%\Bitcoin folder on Windows systems.

As the value of bitcoins has surged, so too has the attention of cybercriminals. They are already trying various ways to extort bitcoins, such as phishing through a fake website, malware and changing the bitcoin wallet address of a recipient to the attacker's temporary address. Loss of bitcoin information has a direct connection to financial loss, thus users are warned to pay special attention.


The relevant aliases identified by AhnLab V3 is as below:
<Alias identified by AhnLab V3>
- Trojan/Win32.Zusy
- Trojan/Win32.Agent