Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crypto Wallet. Show all posts

ZKP Emerged as the "Must-Have" Component of Blockchain Security.

 

Zero-knowledge proof (ZKP) has emerged as a critical security component in Web3 and blockchain because it ensures data integrity and increases privacy. It accomplishes this by allowing verification without exposing data. ZKP is employed on cryptocurrency exchanges to validate transaction volumes or values while safeguarding the user's personal information.

In addition to ensuring privacy, it protects against fraud. Zero-knowledge cryptography, a class of algorithms that includes ZKP, enables complex interactions and strengthens blockchain security. Data is safeguarded from unauthorised access and modification while it moves through decentralised networks. 

Blockchain users are frequently asked to certify that they have sufficient funds to execute a transaction, but they may not necessarily want to disclose their whole amount. ZKP can verify that users meet the necessary standards during KYC processes on cryptocurrency exchanges without requiring users to share their paperwork. Building on this, Holonym offered Human Keys to ensure security and privacy in Zero Trust situations. 

Each person is given a unique key that they can use to unlock their security and privacy rights. It strengthens individual rights through robust decentralised protocols and configurable privacy. The privacy-preserving principle applies to several elements of Web3 data security. ZKP involves complex cryptographic validations, and any effort to change the data invalidates the proof. 

Trustless data processing eases smart contract developer work 

Smart contract developers are now working with their hands tied, limited to self-referential opcodes that cannot provide the information required to assess blockchain activities. To that end, the Space and Time platform's emphasis on enabling trustless, multichain data processing and strengthening smart contracts is worth mentioning, since it ultimately simplifies developers' work. 

Their SXT Chain, a ZKP data blockchain, is now live on testnet. It combines decentralised data storage and blockchain verification. Conventional blockchains are focused on transactions, however SXT Chain allows for advanced data querying and analysis while preserving data integrity through blockchain technology.

The flagship DeFi generation introduced yield farming and platforms like Aave and Uniswap. The new one includes tokenized real-world assets, blockchain lending with dynamic interest rates, cross-chain derivatives, and increasingly complicated financial products. 

To unlock Web3 use cases, a crypto-native, trustless query engine is required, which allows for more advanced DeFi by providing smart contracts with the necessary context. Space and Time is helping to offer one by extending on Chainlink's aggregated data points with a SQL database, allowing smart contract authors to execute SQL processing on any part of Ethereum's history. 

Effective and fair regulatory model 

ZKP allows for selective disclosure, in which just the information that regulators require is revealed. Web3 projects comply with KYC and AML rules while protecting user privacy. ZKP even opens up the possibility of a tiered regulation mechanism based on existing privacy models. Observers can examine the ledger for unusual variations and report any suspect accounts or transactions to higher-level regulators. 

Higher-level regulators reveal particular transaction data. The process is supported by zero-knowledge SNARKs (Succinct Non-interactive Arguments of Knowledge) and attribute-based encryption. These techniques use ZKP to ensure consistency between transaction and regulatory information, preventing the use of fake information to escape monitoring. 

Additionally, ZK solutions let users withdraw funds in a matter of minutes, whereas optimistic rollups take approximately a week to finalise transactions and process withdrawals.

Webflow Sites Employed to Trick Users Into Sharing Login Details

 

Security experts have warned of an upsurge in phishing pages built with Webflow, a website builder tool, as attackers continue to use legitimate services such as Microsoft Sway and Cloudflare. 

The malicious campaign targets login credentials for multiple corporate webmail services, Microsoft 365 login credentials, and sensitive data from cryptocurrency wallets like Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.

According to the researchers, between April and September 2024, the number of visitors to Webflow-created phishing pages jumped tenfold, and the attacks targeted over 120 organisations worldwide. The majority of the people targeted work in the banking, technology, and financial services industries in North America and Asia.

Attackers have utilised Webflow to create standalone phishing pages as well as to redirect unsuspecting users to additional phishing pages under their control. Because there are no phishing lines of code to write and identify, the former provides attackers with convenience and stealth, but the latter allows them to carry out more complex activities as required. 

Webflow is far more appealing than Cloudflare R2 or Microsoft Sway since it allows clients to create custom subdomains for free, as opposed to auto-generated random alphanumeric subdomains, which are likely to raise suspicion.

To increase the chances of success, phishing sites are designed to resemble the login pages of their legitimate counterparts. This method is used to deceive users into disclosing their credentials, which are subsequently at times exfiltrated to another server. 

Security experts have also discovered Webflow cryptocurrency phoney websites that use screenshots of genuine wallet homepages as their landing pages. When a visitor clicks anywhere on the fake website, they are taken to the real scam site. The final goal of a crypto-phishing campaign is to gain the victim's seed phrases, allowing the attackers to take over cryptocurrency wallets and pilfer funds. 

When users enter the recovery phrase in one of the assaults identified by the cybersecurity firm, they are presented with an error message saying that their account has been suspended due to "unauthorised activity and identification failure." Additionally, the message directs the user to start an online chat session on Tawk.to to contact their support personnel. 

It is worth noting that Avast's CryptoCore fraud operation exploited chat services such as LiveChat, Tawk.to, and Smartsupp. Instead of using search engines or clicking on other links, users should always enter the URL into their web browser to access important pages like their webmail or banking portal.

SpyAgent Malware Uses OCR Tech to Attack Crypto Wallets

SpyAgent Malware Uses OCR Tech to Attack Crypto Wallets

Malware Using OCR to Steal Crypto Keys

Cybersecurity experts have found a new malware threat that lures users into downloading a malicious app to grow. An advanced malware strain campaign has surfaced from North Korea, it attacks cryptocurrency wallets by exploiting the mnemonic keys of the users. McAfee researcher SangRyo found the malware after tracking stolen data from malicious apps for breaking servers and gaining access. 

The working of SpyAgent

The malware is called SpyAgent, and it targets cryptocurrency enthusiasts. What makes this malware unique is its ability to use OCR technology for scanning images, it leverages Optical Character Recognition (OCR) technology to steal mnemonic keys stored in the images of infected devices. Hackers use these mnemonic keys to gain unauthorized entry into digital assets. 

These keys are twelve-word phrases used for recovering cryptocurrency wallets. There has been a rise in the use of mnemonic phrases for crypto wallet security because they are easy to remember if compared to a long strain of random characters. 

Spy Agent pretends to be a legitimate application, such as banking, streaming, government services, or utility software. McAfee has discovered over 280 fake applications.

Distribution of SpyAgent

When a victim downloads a malicious app containing SpyAgent, the malware builds a command and control  (C2 )server that allows threat actors to launch remote commands. Later, the attacker extracts contact lists, text messages, and stored images from the compromised device. 

“Due to the server’s misconfiguration, not only were its internal components unintentionally exposed, but the sensitive personal data of victims, which had been compromised, also became publicly accessible. In the ‘uploads’ directory, individual folders were found, each containing photos collected from the victims, highlighting the severity of the data breach,” the report says.

Reach of SpyAgent

SpyAgent has been found working in Korea, but its range has widened to other countries as well. The malware is capable of disguising itself as a legitimate application, which makes it dangerous. SpyAgent has recently expanded to the United Kingdom. 

It has also moved from simple HTTP requests to web socket connections, allowing real-time two-way communication with the C2 server. It escapes security researchers via techniques like function remaining and string encoding. 

The McAfee report recommends “users to be cautious about their actions, like installing apps and granting permissions. It is advisable to keep important information securely stored and isolated from devices. Security software has become not just a recommendation but a necessity for protecting devices.”

Notorious Lazarus Hacking Outfit Linked to a $60 Million Alphapo Crypto Theft

 

The latest attack on payment processing site Alphapo, in which the attackers stole over $60 million in cryptocurrency, is attributed by blockchain researchers to the North Korean Lazarus hacker gang.

The hack on Sunday, July 23rd, targeted Alphapo, a centralised cryptocurrency payment provider for gaming websites, e-commerce subscription services, and other online platforms. The initial sum stolen is thought to have been $23 million. Over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI were stolen from hot wallets, most likely as a result of a private key leak. The total cash taken from Alphapo has already reached $60,000,000, according to data from Dune Analytics, which was also spotted by renowned crypto chain investigator "ZackXBT" earlier this week. 

Furthermore, ZackXBT claimed that the heist looks to have elements of a Lazarus attack and supported the claim by stating that Lazarus leaves "a very distinct fingerprint on-chain," but no additional information was provided. 

The $35 million Atomic Wallet theft, the $100 million Harmony Horizon hack, and the $617 million Axie Infinity theft were all attributed to the North Korean threat actor known as The Lazarus Group, which has ties to the North Korean government. 

Typically, Lazarus employs fake job offers to tempt employees of crypto companies to open malicious files, compromise their devices, and steal their login information.

This opens up a potential attack route into the victim's employer's network, where they can gain access without authorization and meticulously plan and carry out expensive attacks. 

Laundering attempts were made through Bitget, Bybit, and other services, according to analysts monitoring the flow of stolen money to cryptocurrency exchanges. Lazarus is also renowned for utilising specialised services for mixing small amounts of cryptocurrencies. 

The attackers probably took the private keys that gave them access to the wallets, Dave Schwed, COO of the blockchain security firm Halborn, stated.

"While we lack specifics, it seems that the alleged "hack" likely pertains to the theft of private keys. This inference comes from observing the movement of funds from independent hot wallets and the sudden halting of trading," he explained. "Moreover, the subsequent transactions have led ZachXBT, a renowned "on-chain sleuth", to surmise that North Korea's notorious Lazarus group is the perpetrator of this attack. Given their history of similar exploits, I find myself agreeing with this theory."

This New macOS Info-stealer in Town is Targeting Crypto Wallets

 

A new info-stealer malware has been identified, designed to steal a wide range of personal data, comprising local files, cookies, financial information, and passwords stored in macOS browsers. It's called Atomic macOS Stealer (aka AMOS, or simply Atomic), and its developer is constantly adding new capabilities to it. 

The most recent update was issued on April 25. According to the Cyble research team, Atomic is available on a private Telegram channel for a $1,000 monthly fee. A DMG installer file, a cryptocurrency checker, the brute-forcing program MetaMask, and a web panel to oversee assault campaigns are all provided to the customer.

The malicious DMG file is designed to avoid detection and has been identified as malware by only one (out of 59) AV engines on VirusTotal. When the victim runs this DMG file, it displays a password prompt disguised as a macOS system notice, encouraging the user to input the system password.

After getting the system password, it attempts to steal passwords stored in the default password management tool Keychain. This includes WiFi passwords, credit card information, site logins, and other critical information. Atomic is built with a variety of data-theft features, allowing its operators to target various browsers and crypto wallets, among other things.

It checks the system for installed applications in order to steal information from it. Cryptocurrency wallets (Binance, Electrum, Atomic, and Exodus) and web browsers (Google Chrome, Microsoft Edge, Firefox, Opera, Yandex, and Vivaldi) are among the programs targeted.

It also targets over 50 cryptocurrency wallet extensions, such as Coinbase, Yoroi, BinanceChain, Jaxx Liberty, and Guarda. Furthermore, it attempts to steal system information such as the Model name, RAM size, number of cores, serial number, UUID number, and others.

Atomic is another example of the growing number of cyber dangers threatening macOS. Researchers have already discovered two new threats, the RustBucket Malware and a new LockBit variation, indicating an interest in Apple's core operating system, which powers Mac computers.

As a result, it is past time for Mac users to recognise the growing threat and enhance their security posture.

Aurora Infostealer Malware Uses Shapeshifting Techniques

 

One of the most recent discoveries was the Aurora Stealer malware, which imitated popular applications in order to infect as many users as possible.

Cyble researchers discovered that threat actors are actively changing and customizing their phishing websites in order to target a wide range of well-known applications. Aurora is interested in data from web browsers and cryptocurrency wallets, among other things.

Aurora, the Shapeshifting Thief

Aurora has been marketed as a stealer on Telegram and darknet forums since late August 2022. Malware-as-a-service costs $250 per month or $1500 for a lifetime license.

Cyble Research and Intelligence Labs (CRIL) discovered a phishing website (hxxps[:]/messenger-download[.]top) claiming to be a website for a chat app on January 16th, 2023. The next day, the same webpage impersonated the official TeamViewer website.
 
According to the researchers' report, the malware file gathers system information using Windows Management Instrumentation (WMI) commands, including the operating system's name, the graphics card's name, and the processor's name.

Furthermore, the malware persists in collecting system information such as the username, Hardware Identification (HWID), RAM size, screen resolution, and IP address. Furthermore, the malware searches the installed directories for specific browser-related files saved in SQLite, such as Cookies, History, Login Data, and Web Data by scanning the directories of installed browsers on the victim's computer.

The stealer then continues to extract crypto wallet data by querying and reading files from specific directories. It also grabs information from cryptocurrency wallet browser extensions. As per researchers, over 100 extensions have been specifically targeted and hard coded into the stealer binary.

Other stealers, such as RedLine, Vidar, and RecordBreaker, have been found padding malware samples with unnecessary data in order to avoid detection, according to CSN.

You can immensely decrease your chances of becoming a victim by using multi-factor authentication and strong passwords whenever possible. Additionally, enable automatic software updates and educate employees on how to protect themselves against threats such as phishing and unsafe URLs.

Over 2.5 Billion Google Chrome Users' Information was Breached

 


It is no longer necessary for a person to commute to a physical location to find information about anything they are interested in. 

Currently, Google can be trusted to provide the most relevant information about anything and everything. Google has a wealth of information available at the click of a button. Data threat risk is also growing along with the acceptance of cloud services leading to the rise of data breaches. 

With billions of users, Google Chrome is gaining an increasing amount of popularity as one of the most popular web browsers. 

According to the cyber security firm Imperva Red, a vulnerability in Google Chrome and Chromium browsers could expose the data of over 2.5 billion users worldwide to the risk of theft or other harm. 

The company is reporting that a vulnerability known as CVE-2022-3656 can be exploited to steal private information, such as the login credentials of cloud providers and crypto wallets. An assessment of how the browser interacts with the file system found a vulnerability in the way the browser works with the file system. According to the blog, the purpose of this experiment was primarily to examine how browsers handle symlinks to find widespread issues. 

It should be noted that a symbolic link is a kind of file that points to a different file or directory, as defined by Imperva Red. A symlink can therefore be treated by the operating system as if it were a regular file or directory. This means that the operating system can access it as though it were physically present. A symlink could be useful if you want to create shortcuts, change the path of a file, or organize your files more flexibly according to the manual. 

There is also a possibility that these links could be exploited to expose vulnerabilities if not managed appropriately.  

The company stated that the flaw, which affected Google Chrome, could have been exploited by hacking and building a false website. This site promoted a newly launched service related to crypto wallets. A website that prompts people to download "recovery" keys might then appear to deceive them into creating a new wallet.   

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

Critical Vulnerability Identified in Ever Surf Blockchain Wallet

 

A vulnerability identified in the browser version of the Ever Surf blockchain wallet could have allowed attackers full control over a victim’s wallet and subsequent funds, say threat analysts at Check Point Research. 

Available on Google Play and Apple iOS Store, Ever Surf is described as a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. It currently has nearly 670,000 active accounts worldwide and claims it has facilitated at least 31.6 million transactions.

According to Check Point researchers, the web version of the Ever Surf blockchain wallet suffered from a relatively simple bug that allowed malicious actors to exfiltrate private keys and plant phrases stored in local browser storage. To do that, threat actors first needed to secure the encrypted keys of the wallet, which is usually done via malicious browser extensions, infostealer malware, or plain old phishing.

Subsequently, the bad actors could have used a simple script to perform decryption. The susceptibility made decryption possible in “just a couple of minutes, on consumer-grade hardware," the researchers stated. 

CPR reported the vulnerability to Ever Surf developers, who then published a desktop version that mitigates the flaw, the company said in a press release. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf, the researchers warned. 

“Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product,” said Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software 

“When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, and keep OS and antivirus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing,” Chailytko added. 

To mitigate the risks, researchers recommended users not to follow suspicious links, particularly those sent from unknown sources, always keep their OS and antivirus software updated, and avoid downloading any software or browser extensions before verifying the identity of the source.

Beware of iCloud Phishing Attacks, MetaMask Warns Apple Users

 

ConsenSys-owned crypto wallet provider MetaMask is warning its community regarding possible phishing attacks via Apple’s iCloud service. In a Twitter thread posted on April 17, the company warned its customers that the encrypted passwords for their accounts, called MetaMask vaults, will be uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app. 

 As a result, a phishing account that exploits a customer’s iCloud account will also compromise their passwords and hence their crypto wallets. This comes after an Apple user, who goes by “revive_dom” claimed on Twitter to have lost crypto assets worth $650,000 from his MetaMask crypto wallet. 

“This is how it happened. Got a phone call from Apple, literally from Apple (on my caller Id) Called it back because I suspected fraud and it was an Apple number. So, I believed them. They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped,” the user wrote in his thread. 

The phishing campaign involves certain default device settings in iPhones, iPads which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their application data. Metamask is an online crypto wallet that allows users to store their crypto assets such as Bitcoin, Ethereum, etc, as well as non-fungible-tokens (NFTs).

“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds,” the company tweeted. 

Serpent, the founder of a project called DAPE NFT, explained how the fraudsters stole from a victim. On April 15, the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.

During the call, the fraudsters said there was unusual activity on the victim’s Apple ID and asked for a one-time verification code. This is the six-digit verification code sent out to a user when they want to reset their Apple ID password or even login from a different laptop or iPhone, iPad, etc. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim's MetaMask.

 How to shut cloud backups?

Metamask in a warning tweet has requested users to disable iCloud backups by following the steps mentioned below: - 

Go to Settings > Profile > iCloud > Manage Storage > Backups, then turn off the toggle. 

To ensure that iCloud will not “surprise” you with backups you didn’t allow, go to Settings > Apple ID/iCloud > iCloud Backup and turn it off.

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.

Hackers Steal Around $320M+ from Crypto Firm Wormhole

 

A threat actor abused a vulnerability in the Wormhole cryptocurrency platform to steal $322 million worth of Ether currency. 

Wormhole Portal, a web-based application—also known as a blockchain "bridge"—that enables users to change one type of bitcoin into another, was the target of the attack earlier. Bridge portals transform an input cryptocurrency into a temporary internal token, which they then turn into the user's preferred output cryptocurrency using "smart contracts" on the Ethereum blockchain. 

The attacker is suspected to have taken advantage of this method to deceive the Wormhole project into releasing significantly more Ether (ETH) and Solana (SOL) tokens than they originally provided. The attacker allegedly stole crypto-assets worth $322.8 million at the time of the attack, according to reports. As per reports, the attacker acquired crypto-assets worth $322.8 million at the time of the incident, which have since depreciated to $294 million due to price swings since the breach became public. 

While a Wormhole official is yet to respond to a request for comment on today's incident. The firm verified the incident on Twitter and put its site on maintenance while it investigates. The Wormhole attack is part of a recent pattern of abusing [blockchain] bridges, according to Tal Be'ery, CTO of bitcoin wallet app ZenGo who informed The Record about the Wormhole Attack. 

A hacker stole $80 million from Qubit Finance just a week ago, in a similar attack against another blockchain bridge. As per data compiled by the DeFiYield project, if Wormhole officially acknowledges the number of stolen funds, the incident will likely become the biggest hack of a cryptocurrency platform so far this year, and the second-largest hack of a decentralised finance (DeFi) platform of all time. 

Wormhole offered a $10 million "bug bounty" to a hacker. Be'ery pointed out that, similar to the Qubit hack, Wormhole is now appealing to the attacker to return the stolen funds in return for a $10 million reward and a "whitehat contract," which indicates that the platform will most likely not file any criminal complaints against the attacker. 

As per Wormhole's most recent Twitter update, posted on Thursday, February 3, the vulnerability has been fixed. However, as one former Uber executive discovered, such contracts exonerating hackers are illegal in some areas, and authorities may still investigate the hacker.


Anubis Trojan Targeted 400 Banks’ Customers

 

A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by fr.orange.serviceapp, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

Malicious Actors Target CoinSpot Cryptoexchange to Steal User Information

 

Cyber security researchers at the Cofense Phishing Defense Center (PDC) have unearthed a new phishing campaign targeting CoinSpot cryptocurrency exchange users via a new technique revolving around withdrawal confirmations with the ultimate goal of stealing two-factor authentication (2FA) codes. 

The attackers are sending emails from a Yahoo email address, mimicking authentic emails from CoinSpot that ask the users to confirm or cancel a withdrawal transaction. The malicious texts also include details such as the transaction amount and a Bitcoin wallet address to add authenticity to the phishing campaign. 

By clicking on any of the buttons embedded in the email, the victim is directed to a phishing landing page. The page clones the CoinSpot login page and uses a spoofed domain name to gain the target's attention. 

"The style appears authentic, and there is even a Bitcoin address included to add to legitimacy. The user is prompted to either confirm or cancel the withdrawal, but both links have the same SendGrid hyperlink," reads the Cofense report. 

Additionally, the attackers use a digital certificate that adds a lock symbol to the URL address bar to make the victim believe they've reached CoinSpot's authentic and secure login form. The malicious landing page prompts the victims to enter their account credentials, and if they fall into the trap, they receive a two-factor authentication page, which is the last shield against account takeover attempts.

Upon inputting a 2FA code, the victims are redirected to the official CoinSpot website in a final push to mitigate the chances of suspicion. The hackers can then use the account credentials and the stolen 2FA codes to gain control of the victim's account.

How to safeguard crypto-investments? 

According to security experts, the excitement around cryptocurrency investment has led to an influx of inexperienced and potentially gullible users, allowing attackers to target a particular field. 

“The threat actor observed here been meticulous in obtaining access to lucrative crypto accounts. By playing on the recipient’s fears with carefully crafted steps, it could be easy for targets to perceive this as legitimate,” Cofense researchers explained. 

Cryptocurrency exchanges recommend users to review basic elements such as the sender’s address calmly, and look for anything suspicious while receiving emails. Even if everything looks genuine, don’t click the built-in messaging buttons. Instead, open a new tab on your browser, visit the official website manually, log into your account, and check for any alerts or messages that need your attention.