Coingotrade

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention on June 3rd via a tweet from researcher @ccxsaber, which revealed a domain at coingotrade.com set up to lure victims into downloading the fake app. CoinGoTrade is likely a clone of an open-source cryptocurrency wallet application and carries payloads similar in functionality to those found in other malware like macOS X stage 2 from CoinGoTrade and Kupay Wallet, or the Windows stage 2 from Union Crypto. CoinGoTrade has strong links to AppleJeus, a long-running cyber threat campaign that uses trojanized trading applications to facilitate cryptocurrency theft. CoinGoTrade represents the fifth version of AppleJeus, with previous versions using an older variant of POOLRAT malware. This connection is further substantiated by the simultaneous circulation of CoinGoTrade, TinkaOTP, and Cryptoistic - another family of lightweight, backdoor binaries written primarily in Objective-C and C. Unlike CoinGoTrade, Cryptoistic is written in Swift but contains a significant amount of code bridged to Objective C, suggesting a developer more familiar with the older programming language. The practice of trojanizing cryptocurrency-related apps began with the AppleJeus operation in 2018. The group behind these operations appears to have met with reasonable success, as evidenced by the emergence of new attempts such as CoinGoTrade and Cryptoistic in 2020. If CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet, or if Kupay Wallet is already installed and the user tries to install CoinGoTrade or Dorusio, all CoinGoTrade files will be deleted. For more detailed information about CoinGoTrade and its connection to AppleJeus, refer to the MAR-10322463-5.v1 analysis report on the U.S. Cybersecurity & Infrastructure Security Agency (CISA) website.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
AppleJeus
2
AppleJeus is a notorious malware attributed to the North Korean APT Lazarus Group, designed primarily to steal cryptocurrency. This malicious software has been a key instrument in North Korea's financial theft operations, with threat groups pilfering $2.3 billion USD worth of crypto assets between M
Kupay Wallet
1
Kupay Wallet is a malicious software (malware) identified as part of the AppleJeus Version 4 malware family, developed and deployed by North Korean hackers, referred to by the U.S. government as HIDDEN COBRA. The malware was developed between March 2018 and September 2020, alongside other malicious
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
t1583.001
T1033
T1041
t1059.004
Windows
Malware
Trojan
t1071.001
Backdoor
Macos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DorusioUnspecified
1
Dorusio is a malware application that is part of the "AppleJeus" family, a group of malicious cryptocurrency applications developed by North Korean hackers, also known as HIDDEN COBRA. The Dorusio program, which mimics an open-source cryptocurrency wallet application, was developed alongside other m
CryptoisticUnspecified
1
Cryptoistic is a malware that was compiled on April 2nd, 2020, and is designed to exploit and damage computer systems. It appears to be part of a trend of trojanizing cryptocurrency-related apps and was circulated at the same time as TinkaOTP and CoinGoTrade. While CoinGoTrade is written primarily i
PoolratUnspecified
1
PoolRat, a harmful malware previously classified as SimpleSea by threat intelligence firms, is designed to exploit and damage computer systems. This C/C++ macOS implant has the capability of collecting basic system information and executing arbitrary commands, including carrying out file operations.
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Coingotrade Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
MITRE
a year ago
Four Distinct Families of Lazarus Malware Target Apple's macOS Platform
CERT-EU
a year ago
3CX hack highlights risk of cascading software supply-chain compromises
MITRE
a year ago
AppleJeus: Analysis of North Korea’s Cryptocurrency Malware | CISA