{
  "name": "CoinLurker: The Stealer Powering the Next Generation of Fake Updates",
  "slug": "coinlurker-the-stealer-powering-the-next-generation-of-fake-updates",
  "description": "CoinLurker is a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, it employs advanced obfuscation and anti-analysis techniques, making it highly effective in modern cyberattacks. The malware is delivered through fake update campaigns, leveraging deceptive entry points that exploit user trust. It uses Microsoft Edge Webview2 as a stager and employs a multi-stage chain involving Binance Smart Contracts and Bitbucket repositories to conceal its payload. CoinLurker targets cryptocurrency wallets and financial applications, systematically enumerating directories to access sensitive user data. Its layered injection tactics and obfuscated functions make it challenging for analysts to reverse-engineer its logic.",
  "published": "2024-12-17T08:57:56+00:00",
  "created_at": "2024-12-17T08:57:56+00:00",
  "modified_at": "2024-12-17T09:06:14+00:00",
  "created_at_opencti": "2024-12-17T08:57:56+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-17",
    "coinlurker",
    "cryptocurrency"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://test-1627838.shop/endpoint"
      },
      {
        "id": "",
        "name": "http://smkn1leuwimunding.com/Updating.zip"
      },
      {
        "id": "",
        "name": "http://smolcatkgi.shop/endpoint"
      },
      {
        "id": "",
        "name": "http://peskpdfgif.shop/endpoint"
      },
      {
        "id": "",
        "name": "http://md928zs.shop/endpoint"
      },
      {
        "id": "",
        "name": "http://ndas8m92.shop/endpoint"
      },
      {
        "id": "",
        "name": "http://dais7nsa.shop/endpoint"
      },
      {
        "id": "",
        "name": "http://ajsdiaolke.shop/endpoint"
      },
      {
        "id": "",
        "name": "zovik.info"
      },
      {
        "id": "",
        "name": "paveldurov.sbs"
      },
      {
        "id": "",
        "name": "analfucker.lol"
      },
      {
        "id": "",
        "name": "fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6"
      },
      {
        "id": "",
        "name": "f79c62b820420bda78252197db842eabe63261a4e80fbdcec8d671ce3d0a43ef"
      },
      {
        "id": "",
        "name": "c8adb9bf6997a9fa2738a09600a60abc4fb6334aa54b24166cf042afdc5a1064"
      },
      {
        "id": "",
        "name": "cc2f65faf61154815b4fa151d9a27c01a160d7d46398c7e44169949a61c63c2b"
      },
      {
        "id": "",
        "name": "c643c087c68e51dfe422ddb48614675ab8e6aaecbe5704759c9978ac22b15f83"
      },
      {
        "id": "",
        "name": "be5e250168d37e7a9a4999d41a77cde19a6ac376a391f602b3496ace307ad0e8"
      },
      {
        "id": "",
        "name": "b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa"
      },
      {
        "id": "",
        "name": "a7eca930c2aa851cae3475cb4f5d599058816d51e1cc55a82ae976a030794aac"
      },
      {
        "id": "",
        "name": "a12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14"
      },
      {
        "id": "",
        "name": "a612bca9b5cbda864f4b808992de3d616c67b9120d8b24cbfa8a836ccdde9142"
      },
      {
        "id": "",
        "name": "a3c7b289054635f5239d453fb4be718298037ea6c1f4bf16954af1e9da2a53e2"
      },
      {
        "id": "",
        "name": "9c0c9945f81977269542f941c10fa28dbefe91078b6df68e97d61b58318cac9a"
      },
      {
        "id": "",
        "name": "9a036f20d758107d9434bd3bed682ff7d81393dc9d49fd6fe70d4b549045eaa2"
      },
      {
        "id": "",
        "name": "9ea70e081c13c4b0e30b43dd68a6a0e0cfb6926c990bbe8ddedd8d9693c953d6"
      },
      {
        "id": "",
        "name": "93cc9759d86f8b087b71583f577a5534e975ce9ac19ec3ec140efa6bbfad6bd0"
      },
      {
        "id": "",
        "name": "9374e1561a87a23b12ec586859661241b2eb5da822c0b4b874cdf9eda480363f"
      },
      {
        "id": "",
        "name": "9116c7878f51e6d8173d41a5a0e63ca16105dac954afedeaf1d5e06594cc4d41"
      },
      {
        "id": "",
        "name": "8d61f5b56f05daeef394dbc434abb96c1388aca8406e02445a72db1a65b9da3d"
      },
      {
        "id": "",
        "name": "82cc0f3f4aa70a8215b62db7ee9deac1c3d4dd27cde25cf56ec2f82ca7d146a9"
      },
      {
        "id": "",
        "name": "8119a59487c6ffe5382c03e3de8c70b2c2e26899b51dcc4794066a8e1f358bcb"
      },
      {
        "id": "",
        "name": "80b2950f1249d439105eac421660ddd15caab6de6afce3511f945deef1c0dd21"
      },
      {
        "id": "",
        "name": "6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de"
      },
      {
        "id": "",
        "name": "7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899"
      },
      {
        "id": "",
        "name": "487156ae20cc6d8e7d922cebe35b197c28ae43134f7e04c5f6bd0f3e164a7120"
      },
      {
        "id": "",
        "name": "44521e1af289aa3473d7445d097766f1c3f3d8721d14b14ed6d5404994a03eb2"
      },
      {
        "id": "",
        "name": "397a0f6515a81f307b5289ff3e939a0e01a6c1a0f0515be9844ddc9c6031ad97"
      },
      {
        "id": "",
        "name": "324e1bf24f13d5a8f45cc5ee25d3dfe330a7e755b19901549976f2db02ca4fa4"
      },
      {
        "id": "",
        "name": "2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe"
      },
      {
        "id": "",
        "name": "3048030c0e3ff5e6e45bbb37e75d6e55fde8d77a928958dc34497177e077b69a"
      },
      {
        "id": "",
        "name": "269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d"
      },
      {
        "id": "",
        "name": "2181c60e8727d5cfe7e713aa9731018168660ad2c96f31b08a729d1503dfc19a"
      },
      {
        "id": "",
        "name": "2198912e1a1f4a5b5f0dfe237b75d264c9be0b5b6f98f83a999117dd194e842c"
      },
      {
        "id": "",
        "name": "1f4624c44288f77327ec2e8d260399559b81c7cae442c31311736c2a2ec5f399"
      },
      {
        "id": "",
        "name": "18f882b6c16641be3899f4e5123d10bb5c448ac7b7dafe7adb6144176acae304"
      },
      {
        "id": "",
        "name": "162e4277a4cb2e3703df74529d83d47b66a5b46b0a93b3ac902b56da3e588fe9"
      },
      {
        "id": "",
        "name": "15be79b09fa5efe3ca3440a94e436124d97232436af91f64917b7095b559a210"
      },
      {
        "id": "",
        "name": "11cefe96966858c237a3aff132e5c54d0d1bcd343a23b23fcc24735bcefc811c"
      },
      {
        "id": "",
        "name": "0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21"
      },
      {
        "id": "",
        "name": "0b420a565e5e6f6899ebcb1da2fc162b05f5a8b7bfe0f56f52a085f17abb253d"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:4f1510ae00eac36d",
        "name": "CoinLurker",
        "slug": "coinlurker"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d386766b-1606-48d8-8292-0eb82519ef92",
        "name": "CoinLurker",
        "slug": "coinlurker"
      }
    ],
    "attack_patterns": [
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates",
    "https://otx.alienvault.com/pulse/67614b24ff23c9fe76eca2a8"
  ]
}