Cybersecurity researchers at Dr. Web have identified a sophisticated new malware family called Trojan.Scavenger that specifically targets cryptocurrency wallets and password managers on Windows systems. This advanced threat leverages DLL Search Order Hijacking vulnerabilities through legitimate applications to steal sensitive financial data from unsuspecting users.
Understanding DLL Search Order Hijacking Attack Methodology
The malware exploits a fundamental characteristic of Windows operating systems related to dynamic link library (DLL) loading. When applications launch, Windows searches for required DLL files following a predetermined sequence across various directories. Cybercriminals strategically place malicious DLL files in high-priority search locations, naming them identically to legitimate system libraries.
This technique ensures the malicious code loads before authentic system files, effectively hijacking the application’s functionality. Security experts note that similar DLL hijacking methods were previously used in 2024 for targeted attacks against Russian freight railway operators through Yandex Browser vulnerabilities.
Multi-Stage Infection Chain and Distribution Methods
Initial Compromise Through Gaming Content
Security analysts have identified two primary infection vectors for this malware campaign. The first involves Trojan.Scavenger.1, a malicious DLL file distributed through torrent trackers and gaming websites disguised as pirated games, patches, cheats, and modifications.
A particularly notable example involves masquerading as an Oblivion Remastered game patch. Attackers provide detailed instructions convincing victims to place the umpdc.dll file in their game directory, claiming it enhances performance. The filename selection is deliberate, as a legitimate library with this name exists in Windows system folders.
Progressive Component Loading Architecture
Upon successful execution, the initial stage downloads additional components from remote command-and-control servers: Trojan.Scavenger.2, which subsequently installs modules Trojan.Scavenger.3 and Trojan.Scavenger.4. Each component serves specialized functions targeting different software categories.
Target Applications and Data Theft Mechanisms
Chromium Browser Exploitation
Trojan.Scavenger.3 focuses on Chromium-based browsers including Google Chrome, Microsoft Edge, Yandex Browser, and Opera. After successful injection, the trojan implements critical security modifications by disabling browser protection mechanisms, including the sandbox environment that isolates JavaScript code execution.
The malware deactivates extension verification processes by locating corresponding functions within Chromium libraries and applying necessary patches. Most critically, it modifies installed cryptocurrency wallet extensions including Phantom, Slush, and MetaMask, along with password managers Bitwarden and LastPass. The trojan creates modified copies in the %TEMP%/ServiceWorkerCache directory and intercepts system functions to redirect paths from original files.
Targeted Exodus Wallet Attack
Trojan.Scavenger.4 exclusively targets the Exodus cryptocurrency wallet application. Disguised as the legitimate profapi.dll system library, this component intercepts V8 JavaScript engine functions and monitors application JSON data streams.
The malware specifically searches for “passphrase” keys within JSON structures to obtain user mnemonic phrases, then extracts the private seed.seco key. This combination provides complete access to victims’ cryptocurrency wallets and stored digital assets.
Advanced Evasion Techniques and Communication Protocols
All Trojan.Scavenger components incorporate sophisticated anti-detection mechanisms. The malware performs environment checks to identify virtual machines or debugging modes, terminating execution when artificial analysis environments are detected.
The unified command server communication algorithm deserves particular attention, featuring a two-stage encryption key creation and verification process using timestamps. This approach significantly complicates network traffic analysis and helps the malware evade detection by security monitoring systems.
The emergence of complex threats like Trojan.Scavenger underscores the critical importance of maintaining updated software, deploying current antivirus solutions, and exercising caution when downloading content from unofficial sources. Cryptocurrency users should prioritize hardware wallets and implement two-factor authentication to maximize protection of their digital assets against these evolving cyber threats.
