Cybersecurity researchers have identified a new malware campaign that is targeting financial traders by impersonating the popular charting platform TradingView. Attackers have created a fraudulent website promoting an AI-powered trading assistant called TradingClaw, which, upon download and execution, installs the potent Needle Stealer malware. This sophisticated data-stealing tool is designed to silently pilfer sensitive financial information from infected devices.
The campaign leverages the trust associated with TradingView, a widely recognized platform used by retail traders, analysts, and investors for market analysis. The fake website, operating under the domain tradingclaw[.]pro, closely mimics the legitimate appearance of AI-driven trading solutions. This exploitation of both user curiosity for financial tools and the current hype surrounding artificial intelligence in trading highlights the evolving tactics of cybercriminals. The attackers are adept at disguising their malicious intent within seemingly beneficial software.
Malwarebytes researchers discovered this campaign during routine threat intelligence gathering. They noted that the operators are using a previously documented malware loader, now repurposed to deliver the more advanced Needle Stealer payload. This modular approach allows attackers to update their tactics and tools without necessarily altering the initial infection vector, making their operations more resilient and harder to track.
The threat posed by Needle Stealer is significant for individuals engaged in online trading, particularly in the cryptocurrency space. According to Malwarebytes, the malware is capable of extracting sensitive data such as browser cookies, saved passwords, active login sessions, and crucially, cryptocurrency wallet credentials. Furthermore, it can deploy malicious browser extensions that grant attackers persistent access to a victim’s browsing activity, potentially leading to the complete compromise of financial accounts and the emptying of crypto wallets.
To evade detection by security software and search engine crawlers, the fake TradingClaw website employs a sophisticated filtering mechanism. When accessed by automated security tools or search engines, the site redirects to an unrelated, harmless webpage. This selective content delivery ensures that the malicious activity remains hidden from broad scrutiny, allowing the campaign to persist for longer periods by remaining undetected within security scans.
How the Infection and Needle Stealer Work
The infection process begins when a user visits the fake TradingClaw website and is prompted to download a ZIP archive. This archive contains the initial stage of the malware, which is designed to exploit a Windows vulnerability known as DLL hijacking. This technique involves disguising malicious code as a legitimate library file that a trusted Windows program is supposed to load. When the legitimate program executes, it inadvertently loads the malicious DLL instead, allowing the malware to run undetected by the user.
In this specific campaign, the attackers are abusing RegAsm.exe, a legitimate .NET Framework component used for registering assemblies. The initial executable within the downloaded archive prompts a second-stage DLL to run. This DLL then employs a technique called process hollowing to inject the Needle Stealer malware directly into the memory space of the RegAsm.exe process. By hiding within a legitimate system process, the malware significantly reduces its chances of being flagged as suspicious by security software.
Needle Stealer itself is developed in Golang and features a modular design, allowing attackers to customize its capabilities based on their objectives. Its core functionalities include capturing screenshots, exfiltrating browser data, extracting information from applications like Telegram and FTP clients, and collecting text files and cryptocurrency wallet data. This comprehensive data harvesting capability makes it a significant threat to user privacy and financial security.
.webp)
A separate module within Needle Stealer is responsible for deploying a malicious browser extension. This add-on connects to a remote command-and-control server, tracks infected users with unique identifiers, intercepts web traffic, and can even replace legitimate file downloads with malicious alternatives. The malware also includes specific components designed to target desktop and browser-based cryptocurrency wallets. These include a desktop wallet spoofer that targets applications like Ledger and Exodus, and a browser wallet spoofer that focuses on MetaMask and Coinbase, with capabilities to steal seed phrases.
Users who engage in online trading or manage cryptocurrency assets are strongly advised to exercise extreme caution when downloading software, especially from unofficial sources, regardless of how convincing the website may appear. It is imperative to verify the authenticity of any software through official developer channels. Maintaining up-to-date endpoint security solutions is crucial, as is maintaining a healthy skepticism towards any platform that claims AI-enhanced trading capabilities without a verifiable track record and transparent operation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
