Strategy, Threat intelligence

Fake Microsoft DirectX 12 site pushes crypto-stealing malware

April 24, 2021
BleepingComputer reports that a fake Microsoft DirectX 12 download page is spreading cryptocurrency-stealing malware.

The fake website comes with a disclaimer, a DMCA infringement page, a contact form and a privacy policy, which makes it appear legitimate. However, upon clicking the download button, users will be sent to an external page that instructs them to download a file that is either named 6083040a__Disclaimer.zip or 6080b4_DirectX-12-Down.zip, depending on the 32-bit or 64-bit version chosen. Both files will attempt to steal the victim’s passwords, files and cryptocurrency wallets, including those for Aomtic, Coinomi, Electron Cash, Jaxx and Ledger Live.

This information-stealing malware will try to steal the user’s cookies, installed programs, system information and files, and will even take a screenshot of the victim’s desktop. These data will be gathered in a %Temp% folder, which will then be zipped and sent back to the attacker, and may be used for other malicious activities.
Jill Aitoro

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad