New crypto-stealing malware hidden inside a “cracked” version of TradingView Premium

Cybersecurity firm Malwarebytes has warned of a new form of crypto-stealing malware hidden inside a “cracked” version of TradingView

Cybersecurity firm Malwarebytes has warned of a new form of crypto-stealing malware being disguised as "cracked" versions of TradingView Premium, software that provides charting tools for financial markets.

The scammers were hanging out on crypto subreddits, posting links to Windows and Mac installers for "TradingView Premium Cracked," which was actually laced with malware to steal personal data and drain crypto wallets, Jerome Segura, a senior security researcher at Malwarebytes, said in a March 18 blog post.

"We have heard of victims whose crypto wallets had been emptied and were subsequently impersonated by the criminals who sent phishing links to their contacts," Segura added.

The fraudsters claimed the programs were free and had been cracked directly from their official version, but they were actually riddled with malware. Source: Malwarebytes

The programs unlocked premium features of the software and could be used to chart various financial markets, such as crypto and forex. The fibonnaci levels on the chart appear to indicate a strong rally in [[BTC/USD]].

"The HEAT is on and we're about to explode higher!' one user commented on the post.

'I hope they don't shut down the server and we can continue to get these types of programs,' another user added.

As part of the snare, the fraudsters claimed the programs were free and had been cracked directly from their official version. But the programs actually contained two malware programs, Lumma Stealer and Atomic Stealer.

Lumma Stealer was an information stealer that had been around since 2022 and was said to mainly target cryptocurrency wallets and two-factor authentication (2FA) browser extensions. Atomic Stealer was first discovered in April 2023 and was known for being able to capture data such as administrator and keychain passwords.

Besides "TradingView Premium Cracked," the scammers offered other fraudulent trading programs to target crypto traders on Reddit.

Segura said one of the interesting aspects of the scheme was that the scammer also took the time to assist users in downloading the malware-ridden software and help resolve any issues with the download.

"What’s interesting with this particular scheme is how involved the original poster is, going through the thread and being ‘helpful’ to users asking questions or reporting an issue," Segura said.

"While the original post gives a heads-up that you are installing these files at your own risk, further down in the thread, we can read comments from the Original poster."

In this case, the scammer sticks around to assist users in downloading the malware-ridden software. Source: Malwarebytes

The origin of the malware wasn'{~}s clear, but Malwarebytes found that the website hosting the files belonged to a Dubai cleaning company, and the malware command and control server had been registered by someone in Russia roughly one week ago.

Segura says that cracked software has been prone to containing malware for decades, but the "lure of a free lunch is still very appealing."

Common red flags to watch out for with these types of scams are instructions to disable security software so the program can run and files that are password-protected, according to Malwarebytes.

Related: Microsoft warns of new remote access trojan targeting crypto wallets

In this instance, Segura says the "files are double zipped, with the final zip being password protected. For comparison, a legitimate executable would not need to be distributed in such fashion."

According to a recent report from blockchain analytics firm Chainalysis, crypto crime has entered a professionalized era.

The firm's analysis of on-chain data showed that in 2023, there was an estimated $51 billion in illicit transaction volume. A majority of this activity could be attributed to a few large-scale cybercrime syndicates that were increasingly engaging in hybrid and convergent operations.