Union Crypto Trader

Union Crypto Trader is a malicious software (malware) that targets cryptocurrency applications, specifically the Blackbird Bitcoin Arbitrage application. It was discovered that both Celas LLC and JMT Trader had previously modified the same type of cryptocurrency application, Q.T. Bitcoin Trader. Union Crypto Trader, along with JMT Trader, perform similar actions and share identical functionality. The malware operates covertly, often without the knowledge of the user, to exploit and damage computer systems. Its primary mode of entry is through suspicious downloads, emails, or websites. Once installed, Union Crypto Trader presents itself as a service that "automatically installs updates for Union Crypto Trader." Upon launch, it collects the victim's host information through a method known as System Owner/User Discovery (T1033). The collected data is then combined into a string, which is subsequently MD5 hashed and stored in the auth_signature variable before being exfiltrated. This exfiltration process involves sending the stolen data to a command-and-control (C2) website, a technique known as Exfiltration Over C2 Channel (T1041). The Union Crypto Trader and Celas LLC employ XOR values that are 16 bytes in length. The use of these XOR values is likely part of the malware's strategy to obfuscate its activities and evade detection. In summary, Union Crypto Trader represents a significant threat to users of the targeted cryptocurrency applications due to its ability to steal sensitive information, disrupt system operations, and potentially hold data for ransom.