Scam spoofs Binance website and uses TRUMP coin as lure for malware

Hackers are spreading a malicious remote access tool through an email campaign that targets people interested in buying President Donald Trump’s cryptocurrency through the Binance platform. 

The emails are made to look like they come from Binance — currently the largest cryptocurrency platform in the world — and offer the ability to earn TRUMP coins through various actions like installing Binance software, registering an account on the platform and depositing funds. 

Trump announced the coin ahead of his inauguration in January and companies tied to the president allegedly earned millions from it, raising severe concerns of corruption by ethics experts and even cryptocurrency advocates. 

Cybersecurity researchers at Cofense told Recorded Future News that they are unsure of who is behind the recent campaign, which allows the hackers to steal information from infected computers.

The researchers said that if victims follow the instructions in the email and hit the download link to get the TRUMP coins, they instead install a malicious version of a remote access tool known as ConnectWise. They added that the threat actors “are eagerly monitoring infections and can connect to infected computers in under 2 minutes.”

Max Gannon, Intelligence Manager at Cofense, said the company has seen a wide variety of threat actors abuse ConnectWise recently. 

“Some campaigns have been spoofing LinkedIn, others Binance, Virtru, and even the United States Social Security Administration. Part of the reason it has likely become so popular recently is that it has a lot of features and is free to use and easy to set up,” he said. 

“Moreover because it is technically legitimate there are a large number of files that it uses which cannot simply be blocked because they are also used by legitimate installations of ConnectWise RAT,” Cofense’s name for the malicious version. 

The emails take multiple steps to impersonate Binance, using the name of the company in the sender’s name and even including a “risk warning” in an effort to make the emails look legitimate. 

The fake website that greets victims is also painstakingly designed to look legitimate, using real images from the Binance and TRUMP coin websites.  

The download link on the site downloads the installer for the malicious version of ConnectWise instead of Binance’s desktop platform.

“Shortly after checking in, the threat actor takes remote control of any infected computers. This is in contrast to most ConnectWise RAT installations where the threat actor will only decide to interact with an infected host after some time has passed,” Cofense explained. 

“After a threat actor has connected, they will target saved passwords for applications such as Microsoft Edge, making up for ConnectWise RAT’s relative lack of information theft capabilities.”

Gannon said due to its simplicity, ConnectWise RAT can be used by threat actors of varying skill levels — from people who really don’t know what they are doing all the way up to advanced persistence threat (APT) groups trying to disguise their activities.

Cofense has released multiple reports this year on various phishing campaigns deploying ConnectWise RAT.