2-in-1 Malware found skimming data from users

Kalasag CERT a Computer Security Incident Response Team (CSIRT) in their website said that a malware that steals personal data is present in a lending company’s page and targets Filipino users.

The company is a moneylender that provides instant loans with good interest rates making it more attractive to Filipinos, but the user needs to register with name, personal emails, contact information, date of birth, company name, gross income, billing file, pay dates, scanned government or company ID, and other details. This information could be used to steal the user’s identity or worse sold online for other malicious use.

Kalasag CERT said that the group discovered this data skimming campaign on April 30, 2019, but is more likely to be active since February 14 of this year as it was last modified on the said date.

The culprit is a small piece of a java script that steals user’s details by encrypting and sending it to the attackers. The malware also sends its current status to the attackers and when executed would scan all forms within the page, extracts all info, encrypt the data then send it to the attacker’s computer via “http get” a command that is used to transfer data.

But it does not end there. Christian Angel, of Kalasag CERT said that the victims were also forced to mine cryptocurrencies. This attack is called crypto jacking where hackers use the resources of the victim’s computer to mine cryptocurrencies without their knowledge as it works in the background while the victims use their computers normally. The only sign they could get that they’re infected is the slow performance of their computers as its resources is being used by the malware extensively.

This incident has been reported to the company but as of this writing, Kalasag CERT is still waiting for their response.

The NPC was informed about this incident before Kalasag CERT posted about it in their website.