Residents of Spain and Argentina received most of the Meh malware attacks for stealing cryptocurrencies

The Czech cybersecurity company Avast reported a family of malware that affects Windows computers: Meh, which mainly attacks residents of Spain and Argentina. This was announced by the digital newspaper Finance bit.

After running a scan of Meh version 1.0.0a, written in Delphi about the Meh malware family, the Czech company, provided information about this virus through its Decoded blog. This undermines and steals cryptocurrency wallets, is a thief of passwords and clipboard contents of affected users, and carries out advertising fraud on websites via a remote access tool (RAT).

After the analysis, the company found that since June this year Spain is the world leader with around 88,000 infection attempts among Avast users, Argentina ranks second with 2,000 affected navigators in the country and Mexico third with 1,500 registered attacks. from the company approx.

How does it work

Residents of Spain and Argentina received most of the Meh malware attacks for stealing cryptocurrencies
Residents of Spain and Argentina received most of the Meh malware attacks for stealing cryptocurrencies

Meh, it has different threads that have their own function when the virus attacks. These threads are: injection thread, installation and persistence thread, anti-AV check and anti-IObit malware fighter thread, coin thread, torrent download, clipboard and keylogger theft, ad fraud and thread Theft of crypto wallets.

The latter, When the virus enters the computer and infects it, it can detect and usurp the victim’s crypto wallet. The login details are then automatically sent to a CC server. This is a command and control server that receives all information previously collected from the malware-infected PC.

On the blog, Jan Rubín, its author, mentioned in relation to the coin thread that it has a named functionality. “Coinage“That installs a coin-mining program that can do its job as long as there is no antivirus such as Norton, Nod32 or Bitdefender installed on the system.

“The Coin Miner thread can also be influenced by the RAT module. When the RAT module receives a command to stop mining, it fills the coinimer file with a nominal string, which deactivates coinmining, ”explained Rubín.

It follows from the notice that the malware is downloaded from a specific URL depending on the type of operating system, whether 32-bit or 64-bit. The company also stated that Meh is installing the XMRig program, which is used to mine the cryptocurrency XMR, a native asset on the Monero blockchain.

Also, users can protect themselves by installing antivirus programs on their PCs and avoiding downloading content from torrent sites.

“Torrent downloads often contain malware, and users may be unaware of how they are downloading files, so we always recommend that users use trusted services rather than file-sharing platforms,” ​​recommended Jan Rubin.

Ghimob, a new banking trojan in Brazil

In this context, the international computer security company Kaspersky presented the new banking Trojan that was recently discovered in Brazil: Ghimob.

This new Trojan is said to infect mobile devices, targeting 153 financial applications in Latin America and the rest of the world.

According to the statements on the Kaspersky site, once Ghimob infects the device, it will be able to access it by taking control and successfully completing the fraud process from the same mobile phone. Since the technological device is protected by a pattern or password, Ghimob can record it so that it can be reproduced and therefore unlocked as many times as necessary to end the fraud process.

Similar Posts