The dmechant Malware Preys on Cryptocurrency Wallets and Browser Data
A previously unknown cybercrime group is spreading a new piece of malware called dmechant. The criminals approach their victims through fake phishing emails, which urge them to download a file attachment. The bogus messages may cover a wide range of topics such as pending deliveries, unconfirmed orders, invoices, etc. Overall, the subjects that the criminals use are meant to attract the attention of the recipient. The attachment is usually a DOCX document, which packs a hidden, dangerous macro script. If the script's execution is permitted, users might end up having their systems compromised by the dmechant Malware.
Once launched, the payload performs several tasks aiming to distribute its files to multiple folders, as well as to gain persistence. The latter is done by creating a new registry key, which ensures that Windows will start the dmechant Malware automatically. This threat's behavior is similar to that of infostealers like the Ducky Stealer.
But what is the malware's purpose? It does not damage the system or cause any noticeable changes that will alert the victim. Instead, it works silently in the background to collect data related to cryptocurrency wallets, Web browsers, and other popular services. The stolen data is typically stored in a text document, which is later transferred to the attackers via the SMTP (email) protocol.
dmechant Tries to Steal Data from Ten Cryptocurrency Wallets
By default, the dmechant Malware targets ten particular cryptocurrency wallets – Coinomi, Guarda, Atomic, Electrum, Exodus, Ethereum, Jaxx Liberty, Bytecoin, Armory, and Zcash. It can also gather data from popular Web browsers – its primary focus are saved login credentials. It can also target a wide range of FTP, email, and VPN clients like FoxMail, NordVPN, FileZilla, Thunderbird, and others.
The dmechant Malware is a dangerous information stealer whose attack may go unnoticed – users will only find out that there is something wrong when their accounts are no longer accessible, or their crypto wallets are emptied out. You can prevent this by taking the necessary measures to protect your system – running an up-to-date antivirus tool is enough to mitigate attacks like the one that the dmechant Malware carries out.