Malware Disguised as Crypto Tools Exploiting Search Ads
A sophisticated malware campaign has been targeting users searching for crypto trading platforms like Binance and TradingView. Hackers are disguising malware as genuine crypto tools through malvertising – malicious ads and fake download links designed to appear legitimate.
Tracked by Microsoft since late 2024, the threat campaign has been observed delivering fake installers that, once launched, deploy a stealthy malware payload to the user’s system.
How the Malware Operates
The infection starts with a seemingly authentic download link presented in a boosted ad or an unofficial source. When clicked, the installer drops a dynamic-link library (DLL) onto the system. This DLL gathers detailed system information and establishes persistence.
Key technical actions performed by the malware include:
- Collecting Windows system, BIOS, GPU, and CPU details
- Creating remote access backdoors
- Downloading Node.js and malicious scripts
- Extracting browser credentials and saved data
- Disabling proxy settings
- Manipulating registry keys and adding rogue certificates
- Setting up PowerShell-based persistence mechanisms
According to Microsoft, the campaign has managed to evade detection by using scheduled PowerShell tasks to quietly run additional payloads in the background without triggering security tools.
Real-World Impact on Enterprise Systems
This malware campaign poses significant risks to enterprise networks. By targeting popular crypto tools like Binance and TradingView, attackers are exploiting users’ trust and curiosity to infect endpoints. Once inside a system, the malware can compromise internal credentials, allowing lateral movement or data theft.
The misuse of Node.js to run malicious scripts adds an extra layer of stealth, especially in developer environments where the runtime may be overlooked.
Microsoft’s Warning
Microsoft security researchers tracking the campaign have issued a clear warning about the risks:
“Threat actors are leaning into the popularity of cryptocurrency trading platforms to deliver malware through malvertising – fake ads and download links made to look like real software.”
How Enterprises Can Mitigate the Threat
Security teams should consider these proactive steps:
- Download only from verified sources: Use official websites and avoid third-party platforms or ad-based downloads.
- Inspect installers: Always verify digital signatures and sources before executing.
- Harden systems: Monitor or restrict Node.js usage on non-developer endpoints.
- Enable robust endpoint protection: Use security tools capable of detecting PowerShell-based persistence and suspicious scripts.
- Monitor browser credential storage: Check for unusual access patterns or saved credential exports.
- Patch all software regularly: Ensure browsers, OS, and security solutions are up-to-date.
