Crypto stealer or not? part 2

 

In our first part we have covered the most important behavior of the crypto trading script and the conditions under which it charges 10 percent of your crypto balance. Now we will be talking about some specifics of the crypto script and some interesting characteristics. 

 

Who might be the intended target?

Well most probably anyone using the Coinbase platform. The article was in English and Russian language so that won't help us much. The article was on the wordpress.com blog without any specific adds, no premium position in google search. Actually, you have to search for a specific keywords to be offered this blog post. Based on the information in the article the person that decides to download and run this script needs to have some level of admin skills, but it should be stupid enough to run the script without code analysis. That gives us the following victim profile:

• Wealthy person with passion for crypto
• Motivated to trade automatically on Coinbase
• Thoroughly searching for similar solution
  
• Advanced admin skills and ability to understand the script parameters.
• Reluctance to analyze the python code
  

Are there such people?

Well, I don't know. But if you had satisfied all those requirements you might fount the script on this URL:
http://www.mediafire.com/file/izz7hnd8m4wix4s/GDAX_trading.zip

But don't worry, it is not available any more.  I have to appreciate the reaction of mediafire when I reported this file. I still do have a copy so if you are interested just drop me an email. And don't expect you will use the script to get rich. I have waited with this post for some time and Coinbase has implemented some countermeasures that prevents successful script execution ;-)

One more interesting point I would like to cover and that is the script EULA

The EULA

Yes you are reading correct. This crypto trading script that takes your money has an EULA! And very interesting ones.  First of all it is in Russian language. Next, it is mentioning Kaspersky. I am not sure if it is just a copy of existing license agreement or intentionally used Kaspersky name to create false sense of security. 

And then in the point 3.12. you can read (thanks to google translate) that: "By using this software, we can charge you with 10 percent of the invested cryptocurrency"

Hmm,  that is interesting. And to run the script you have to accept the EULA each time - mandatory parameter A. So actually you agree that you might be charged. I am not a lawyer and each country has different laws, but in my humble opinion this might be considered as legitimate. And that lead us to the title. Can we consider it as a crypto stealer or not? Can we consider it as a malware? Maybe yes. And maybe it is just paid trading script (even though the conditions might be specified precisely).

Please, share with me your thoughts or read the loose sequel of this article series "Malware or not"

Excerpt of the EULA

 1. Определения
1.1. ПО - обозначает программное обеспечение, сопроводительные материалы, обновления, описанные в Руководстве Пользователя, Правообладателем которых является ЗАО "Лаборатория Касперского".
1.2. Правообладатель (обладатель исключительного права на ПО) - ЗАО.
1.3. Компьютер - оборудование, для работы на котором предназначено ПО, на которое устанавливается ПО и/или на котором используется ПО.

...

 3.12. Для использования этого программного обеспечения мы можем поручить вам 10 процентов вложенной криптовалюты