Press releases

Cryptocurrency Stealer BluStealer Spreads via Fake DHL Malspam Campaign

Avast Threat Labs traced cryptocurrency stealer, keylogger and document uploader that loads hack tools to steal credentials of thousands of users


Prague, Czech Republic, September 23, 2021 — Avast (LSE:AVST), a global leader in digital security and privacy, has identified a malicious spam (malspam) campaign created to spread BluStealer, a type of malware designed to steal cryptocoins such as Bitcoin, Ethereum, Monero and Litecoin from popular wallets including ArmoryDB, Bytecoin, Jaxx Liberty, Exodus, Electrum, Atomic, Guarda, and Coinomi. On September 10, Avast Threat Intelligence researchers discovered a spike in malspam campaign activity, abusing the names of shipping company DHL and Mexican metal production company General de Perfiles. Avast has tracked and blocked around 12,000 malicious emails distributing BluStealer. The countries most impacted by the spread of the malspam campaign include Turkey, United States, Argentina, United Kingdom, Italy, Greece, Spain, Czech Republic, and Romania.

The DHL malspam campaign sends emails to victims that imitate the design of a genuine DHL message in order to lure the target into a false sense of security. The email informs the user that a package has been delivered to their head office due to the recipient’s unavailability. The recipient is then asked to fill in an attached form to reschedule the delivery of the package. When the user tries to open the attachment, the installation of BluStealer is triggered. In the General de Perfiles example, those targeted receive information via email that they’ve overpaid invoices and that credit has been kept for them and will be billed against their next purchase. Just like the DHL campaign, the General de Perfiles message includes the malicious BluStealer attachment.

DHL

BluStealer is a keylogger, document uploader, and cryptocurrency stealer in one piece of malware. It can steal crypto wallet data such as private keys and credentials, which can result in the victim losing access to their wallet. BluStealer was also found to detect crypto addresses copied to the clipboard and replace them with the attacker’s predefined ones so that a transfer of crypto coins will arrive at the cybercriminal’s pocket instead of the legitimate holder. 

“Cryptocurrencies are getting increasingly popular, with crypto exchange platform Crypto.com estimating that there are over 100 million people worldwide owning cryptocurrencies. Moreover, cryptocurrency transactions are harder to track and undo. This all makes crypto users an attractive target for cybercriminals,” said Anh Ho, Malware Researcher at Avast. “The malspam campaigns we observed used social engineering, abusing the names of credible companies to convince people to click on an attachment. It’s an old trick with a new type of threat attached, and we ask people for continued awareness before clicking on any attachments.”

How BluStealer Works

A large number of the samples Avast found come from a particular campaign that is recognisable through a unique .NET loader. Both email samples contain .iso attachments and download URLs. The attachments contain the malware executables packed with the mentioned .NET Loader.

How to avoid BluStealer

Users of Avast One Essentials, Avast Free Antivirus and all paid versions are protected from BluStealer. Avast advises users to be wary of emails claiming to include shipping invoices or credit notes and not open attachments in unexpected or untrusted messages.

For more information, visit the Avast Decoded Blog.