We Play Coins

Saefko: The crypto targeting trojan

Saefko: The crypto targeting trojan
By We Play Coins
Added on Aug 10, 2019

The Zscaler ThreatLabZ team reported a RAT or remote-access trojan that targets crypto users. Called Saefko, the crypto targeting trojan is available for purchase on the Dark Web.

In a recent blog post, the Zscaler ThreatLabZ team explained the way that Saefko works. They detailed the things that it looks for and how it can be protected against.

Zscaler ThreatLabZ is an enterprise internet security company that offers services in the cloud, IoT and corporate networking sectors. Their team has recently uncovered a RAT that targets cryptocurrency users.

The Report

The Zscaler ThreatLabZ team described the way the RAT worked. It would scan a users browser history to search for anything important. In particular it would scan for any cryptocurrency related activities.

It goes without saying that crypto users access their wallets via the browser. Their login details and other important information can be accessed with the right tools. The hacker would only need to find out what the password hash is to gain access to the cryptocurrency wallet. With Saefko, the crypto targeting trojan, things will only get tougher.

Crypto Hacking

There have been a rash of crypto related hacking issues in the past few months. Many companies have had to reimburse users who had lost tokens in the hack.

The most recent one was the hack of the Binance KYC documents. While it wasn’t a direct hack of the crypto, KYC information is a powerful tool in the hands of a skilled hacker.

The hacks in 2019 alone –

  • Singapore-based cryptocurrency exchange Bitrue –  $5 Million Loss
  • United Kingdom and Slovenia-based crypto exchange GateHub – $10 Million Loss
  • Bitpoint Japan exchange – $32 Million Loss
  • Japanese cryptocurrency exchange Coincheck – $530 Million Loss
  • Binance Exchange – $40 Million Loss

Most of the Hacks were not directly related to the crypto companies. They targeted weak customer passwords or users that did not enable security features like 2FA. The most common type of hack is on hot wallets.

How the RAT works

A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system’s webcam, taking screenshots, formatting drives, and more.

Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshots, videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system.

RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat.


Protect yourself from RAT treats by not allowing downloads from sites you don’t trust. Do not install software that you do not know. Also, if you have access to an admin, secure your ports and connections to the internet.

Crypto user hacking is a million dollar industry on the dark web. If you have any crypto remember to enable every security feature available, especially 2 factor authentication. Most crypto exchanges have a security document. We recommend that you check it out!