Backdoored Litecoin Malware Wallet Spread via Typosquatted Domains

Share with your network!

Litecoin Malware Overview

Cryptocurrencies are increasingly being used for mainstream applications, outside of the dark web markets where they still dominate for anonymous payments. As a result, we are observing phishing attacks and various schemes targeting cryptocurrency wallets and credentials for online exchanges more frequently, with cybercriminals hoping to steal significant sums of largely untraceable currency. The most recent of these targets the Litecoin platform, the popularity of which is increasing globally.

Crypto Phishing Analysis

Proofpoint researchers regularly monitor newly registered domains with particular attention to typosquatting and areas of emerging interest (like cryptocurrencies) for attackers. In this case, we noticed two interesting cryptocurrency phishing domains itecoin[.]org and ltecoin[.]org that were created and which appeared to be clones of the legitimate site

Legitimate Screenshot

Figure 1: Legitimate

Imposter Phishing Screenshot

Figure 2: Imposter website ltecoin[.]org with stolen branding and creative

The websites do not share the same hosting. DNS information is shown below for both domains:

$ host has address has address is an alias for has address mail is handled by 50 mail is handled by 10 mail is handled by 20 mail is handled by 40 mail is handled by 30

$ host has address is an alias for has address mail is handled by 10 mail is handled by 30 mail is handled by 20


Whois information for the typosquatted ltecoin[.]org appears very suspicious:

Registrant Name: Jeanine oConnor
Registrant Organization:
Registrant Street: 1997 Ballenger Road
Registrant City: Wellford
Registrant State/Province:
Registrant Postal Code: 29385
Registrant Country: US
Registrant Phone: +1.3146068833
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:


The registrant also recently registered, likely soon to be a phishing site for the Kraken Bitcoin Exchange,

As on the legitimate Litecoin site, users are presented with the option of downloading wallet software from the ltecoin[.]org homepage. When they click the download button, users are presented with a binary, litecoin-0.13.2-win64-setup.exe.

Backdoored Litecoin Malware Wallet Download Screen

Figure 3: Backdoored Litecoin wallet downloaded from imposter site itecoin[.]org

This is not the wallet software we are expecting based on the comparison of the MD5 hashes for both the legitimate current version of the Litecoin wallet and the version from the typosquatted domain.

MD5 (litecoin-0.13.2-win64-setup_legit.exe) = 3c3ccbd9e12a21b2c126d4b39157a0b2

MD5 (litecoin-0.13.2-win64-setup_fake.exe) = 1b28344109583aede4720e6cc0a3be0e


The backdoored Litecoin binary contains an extra file, plugins.exe. The legitimate contents of the Litecoin wallet installer are on the right.

Comparison of Real vs. Litecoin Malware Folder Contents

Figure 4: Comparison of the contents of the backdoored (left) and legitimate (right) litecoin wallet programs.

The MD5 hash for the plugins.exe file is shown below:

$ md5sum plugins.exe
76a47c60a9154a3f3c4c578e9425bbf1  plugins.exe


Upon execution, the file extracts a resource, decodes it and writes to the startup folder as winsvc.exe, and launches. The launcher (plugins.exe) is deleted.

Encoded Litecoin Malware File

Figure 5: Encoded file ‘BARGAINWEDDING’ as a resource in the ‘plugins.exe’ dropper.

Figure 6 shows the newly installed winsvc.exe executing from the startup folder. Winsvc.exe is actually a keylogger.

Litecoin Keylogger Executable Startup Folder

Figure 6: The keylogger executing from the startup folder.

Upon execution after a sleep, the malware makes an HTTP POST to the command and control (C&C) and send HTML-formatted scraped keylogs and a screenshot of the infected user’s desktop.

HTTP Post to Keylogger

Figure 7: HTTP POST to the keylogger C&C

DNS information for the C&C is shown below:

$ host has address is an alias for has address mail is handled by 10 mail is handled by 20


The keylogger has been in use for some time and likely goes by the name ‘XKey’. It is fairly well detected according to VirusTotal and has been seen utilised in other incidents.


As the use of cryptocurrencies becomes more commonplace, so too will attacks involving the underlying platforms and technologies. Traditional bank credential theft remains extremely common and banking Trojans designed to steal credentials and facilitate fraudulent transactions are frequent payloads in both email and web-based attacks. As always, though, threat actors follow the money as well as the easiest paths to profit, making cryptocurrencies increasingly attractive targets.

We immediately notified the hosting company (Namecheap) about the imposter websites but the sites have not been taken down as of July 26, 2017.

ET and ETPRO Suricata/Snort Coverage

ET OPEN signature 2019965