Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Crypto Wallets. Show all posts
python
Crypto Wallets Developers Ethereum malware PyPI python

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Researchers at Socket have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.” 

Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets. 

Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account. 

The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly. 

PyPi Targets

PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:

  • Web3 apps and crypto exchanges integrating Ethereum transactions.
  • Users having personal Ethereum wallets via Python automation. 
  • Blockchain developers using the eth-account for wallet creation and handling.
  • People who installed the package may expose their private keys to hackers, causing major financial losses. 

Consequences of PyPi attack

  • Stealing Ethereum private keys: PyPi ties into standard wallet creation methods, which makes it difficult to notice.
  • Exploit of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: By not using traditional network extraction, hackers hide stolen data inside blockchain transactions, making it difficult to detect.
  • Hardcoded hacker-controlled RSA public key: The private keys are encrypted and then sent, hiding the data from basic monitoring. 
  • Permanent breach: Even if a user uninstalls set-utils, Ethereum wallets made “while it was active are already exposed and compromised.”

Controlling the damage

For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments. 

According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.”  Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”

Read more »
Technology
Checkmarx Crypto Crypto Wallets cryptocurrency CyberCrime cybercriminals Cyberthreats PyPI Technology

PyPI Hosts Malicious Tools Targeting Crypto Wallets

 


During an investigation conducted recently, it was discovered that several malicious packages masquerading as services for recovering cryptocurrency wallets were found in the Python Package Index repository, revealing that they were spying on sensitive personal information and helping to steal cryptocurrency. A Checkmarx researcher described the attack as targeting Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and many other prominent wallets within the crypto ecosystem in a report released on Tuesday. 

It was found that the packages presented themselves as tools that could extract mnemonic phrases and decrypt wallet data, suggesting that they could provide value to cryptocurrency users who are looking to recover or manage wallets" As long as cryptocurrencies remain a prime target for cybercriminals, they will continue to thrive in the ecosystem. 

The recent discovery of malicious packages located on the Python Package Index (PyPI) repository in the Python distribution has led to several tools that masquerade as tools that can help recover and manage crypto wallets. It is a fake tool that is used to steal sensitive information from users and facilitate the theft of valuable digital assets, among other things. 

According to Checkmarx researchers, there have been several malicious Python packages found on PyPI that attack users of leading cryptocurrency wallets like Atomic, Trust Wallet, MetaMask, Ronin, TronLink, and Exodus, as well as other popular apps. According to Checkmarx, the names of the packages in the Cryptocurrency ecosystem packages are deliberate efforts aimed at luring developers who are active in cryptocurrency ecosystems. 

The package descriptions on PyPI also came with links to installation instructions, examples on how to use them, and in one case, even an explanation of the "best practices" for virtual environments for installation. Again, this was meant to lend legitimacy to the libraries. Furthermore, the threat actor behind the campaign did more than simply deceive users about the popularity of the packages within the campaign, as they also displayed false download statistics, creating the impression that the packages were trustworthy and popular. 

In the identified PyPI packages, there was a dependency called cipherbcryptors that was required for the malicious code to be executed while in a few other cases, the Malware relied on ccl_leveldbases, which seemed to be an attempt to obfuscate the functionality by using another package. This is an important point to note in the case of the malicious functionality in the packages since the malicious functionality is only activated when certain functions are called, which is a departure from the typical pattern where such behaviour would be activated automatically by the installed package upon installation. 

An end-to-end process is then used to exfiltrate the data from the remote server into the hinterland. As Gelb explains, the attacker deployed an additional layer of security as he did not hard-code the address of their command-and-control server into any of the packages that were distributed. They had to rely on external sources to retrieve the information in a dynamic way rather than using internal resources. A technique commonly referred to as a dead drop resolver provides attackers with the flexibility to update the server information without having to update the packages themselves to take advantage of this type of attack. 

Furthermore, should the servers have to be taken down, it will make the process of switching between server infrastructures as simple as possible. This information has been collected to determine whether the attackers as part of their strategy to lure developers and end users will be successful. The author provides a great deal of information about the packages, including detailed descriptions, installation instructions, usage examples, and even best practices for running virtual machines at home. The hackers also manipulated download statistics to mislead the users into believing that the program was popular and trustworthy. 

It is noteworthy that the attackers used a technique known as a dead drop resolver to retrieve the addresses of their command and control servers efficiently. As a result of not hard-coding the server addresses within the packages, they will be able to update information about the servers without having to push new package versions, so security measures will be unable to detect and block the server updates. There was a recent discovery of fake crypto wallet recovery tools on PyPI. This underlines how cybercriminals are continuously evolving their tactics to target cryptocurrency and the crypto sector as a whole. 

The developers and users are equally responsible for safeguarding their digital assets, ensuring they are vigilant, practising due diligence when installing software packages, and utilizing security solutions such as Vulert to protect their assets. According to details revealed in August 2024, CryptoCore, an elaborate cryptocurrency scam that uses fake videos or hijacked accounts on social media platforms such as Facebook, Twitch, X, and YouTube as a method of tying users into selling their crypto assets under the guise of fast and easy profits, has been operating since August 2024. 

"This scam group and its giveaway campaigns will deceive users into sending their cryptocurrencies to the scammers' wallets by using deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive them into sending their cryptocurrencies to the scammers' wallets," Avast researcher Martin Chlumecký said. The most common way for scammers to convince potential victims that messages or events published online are official communications from trusted social media accounts or event pages is to persuade them to believe what is being posted online can be trusted. As a result, they can profit from the trust attached to the chosen brand, person, or event. 

Last week, a rogue Android app was impersonating the genuine WalletConnect protocol, which was used by the malware to steal around $70,00 in cryptocurrency by initiating fraudulent transactions from infected devices, as revealed by Check Point.
Read more »
User Privacy
Android Banking Malware Cerberus Crypto Wallets Cyble Google malware Trojan Attacks User Privacy

Over 467 Apps Hit by the ERMAC 2.0 Android Banking Trojan

 

The ERMAC Android banking virus has been updated to version 2.0, increasing the number of apps targeted from 378 to 467, allowing attackers to steal account passwords and crypto wallets from a much greater number of apps.

Threatfabric researchers found ERMAC in July 2021, notably it is based on the well-known banking trojan Cerberus. Cerberus' source code was released in September 2020 on underground hacking forums after its operators failed an auction. The trojan's goal is to send stolen login credentials to threat actors, who then use them to gain access to other people's banking and cryptocurrency accounts and commit financial or other crimes.

ERMAC is currently available for subscription to members of darknet sites for $5,000 a month, that is a $2k increase over the first release's price, indicating the boost in features and popularity. A bogus Bolt Food application targeting the Polish market is the first malware campaign to use the new ERMAC 2.0 virus. According to ESET researchers, the threat actors disseminated the Android software by impersonating a reputable European food delivery business on the "bolt-food[.]site" website. This phony website is still active. 

Phishing emails, fraudulent social media posts, smishing, malvertising, and other methods are likely to lead users to the false site. If users download the program, they will be confronted with a request for complete ownership of private data.

Following ESET's early discovery, Cyble researchers examined the malware. ERMAC determines whether programs are installed on the host device before sending the data to the C2 server. The answer contains encrypted HTML injection modules which match the application list, which the virus decrypts and saves as "setting.xml" in the Shared Preference file. When the victim tries to run the real program, the injection operation takes place, and a phishing page is displayed on top of the original one. The credentials are forwarded to the same C2 that is responsible for the injections.

The following commands are supported by ERMAC 2.0:

  • downloadingInjections — sends the application list for injections to be downloaded.
  • logs — this command sends the injection logs to the server.
  • checkAP — check the status of the application and transmit it to the server. 
  • registration – sends information about the device.
  • updateBotParams — sends the bot parameters that have been updated.
  • downloadInjection — this function is used to download the phishing HTML page. 

EMAC 2.0 targets financial apps from all over the world, making it appropriate for use in a wide range of nations. A large number of apps supported makes this a dangerous piece of malware, but it's worth mentioning that it would have issues in Android versions 11 and 12, thanks to extra limits implemented by Google to prevent misuse of the Accessibility Service.
Read more »
RedLine Stealer
Binance Blockchain Crypto Scam Crypto Wallets Cyber Security Netskope NFTs Phishing Attacks RedLine Stealer

Users' Crypto Wallets are Stolen by Fake Binance NFT Mystery Box Bots

 

Researchers have discovered a new campaign to disperse the RedLine Stealer — a low-cost password seeker sold on underground forums — by mutating oneself with the data malware from GitHub repositories using a fake Binance NFT mystery box bots, an array of YouTube videos that take advantage of global interest in NFTs. 

The enticement is the promise of a bot that will automatically purchase Binance NFT Mystery Boxes as they become available. Binance mystery boxes are collections of non-fungible token (NFT) things for users to purchase in the hopes of receiving a one-of-a-kind or uncommon item at a discounted price. Some of the NFTs obtained in such boxes can be used in online blockchain games to add unusual cosmetics or identities. However, the bot is a hoax. According to Gustavo Palazolo, a malware analyst at Netskope Threat Labs, the video descriptions on the YouTube pages encourage victims to accidentally download RedLine Stealer from a GitHub link. 

In the NFT market, mystery boxes are popular because they provide individuals with the thrill of the unknown as well as the possibility of a large payout if they win a rare NFT. However, marketplaces such as Binance sell them in limited quantities, making some crates difficult to obtain before they sell out. 

"We found in this attempt that the attacker is also exploiting GitHub in the threat flow, to host the payloads," Palazolo said. "RedLine Stealer was already known for manipulating YouTube videos to proliferate through false themes," Palazolo said. The advertising was spotted by Netskope in April. "While RedLine Stealer is a low-cost malware, it has several capabilities that might do considerable harm to its victims, including the loss of sensitive data," Palazolo said. This is why prospective buyers frequently use "bots" to obtain them, and it is exactly this big trend that threat actors are attempting to exploit. 

The Ads were uploaded during March and April 2022, and each one includes a link to a GitHub repository that purports to host the bot but instead distributes RedLine. "BinanceNFT.bot v1.3.zip" is the name of the dropped file, which contains a program of a similar name, which is the cargo, a Visual C++ installation, and a README.txt file. Because RedLine is written in.NET, it demands the VC redistributable setup file to run, whereas the prose file contains the victim's installation instructions.

If the infected machine is found in any of the following countries, the virus does not run, according to Palazolo: Armenia, Azerbaijan,  Belarus,  Kazakhstan,  Kyrgyzstan,  Moldova,  Russia,  Tajikistan Ukraine, and Uzbekistan.

The repository's GitHub account, "NFTSupp," began work in March 2022, according to Palazolo. The same source also contains 15 zipped files including five different RedLine Stealer loaders. "While each of the five loaders we looked at is slightly different, they all unzip and inject RedLine Stealer in the same fashion, as we discussed earlier in this report. The oldest sample we identified was most likely created on March 11, 2022, and the newest sample was most likely compiled on April 7, 2022," he said. These promotions, on the other hand, use rebrand.ly URLs that lead to MediaFire downloads. This operation is also spreading password-stealing trojans, according to VirusTotal. 

RedLine is now available for $100 per month on a subscription basis to independent operators, and it allows for the theft of login passwords and cookies from browsers, content from chat apps, VPN keys, and cryptocurrency wallets. Keep in mind that the validity of platforms like YouTube and GitHub doesn't really inherently imply content reliability, as these sites' upload checks and moderation systems are inadequate.
Read more »
Trojan Attacks
Crypto Wallets DeFi IP Address Lazarus Group malware NFTs North Korea Remote Code Execution Spear Phishing attacks Trojan Attacks

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin

 

North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   
Read more »
User Security
Crypto Wallets Indian Crypto Wallet malware User Security

Indian Crypto Wallets Targeted by Newly Discovered ‘BHUNT’ Malware

 

Threat actors are now stealing cryptocurrency wallet contents, and passwords by targeting the crypto wallets. Researchers from cyber security firm Bitdefender discovered crypto wallet hijacking malware dubbed ‘BHUNT’ targeting victims’ devices through installations of malicious software and attacks Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin wallets. 

To bypass detection and triggering security warnings, the malware employs Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers.

"BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researchers explained in a technical report.

The modus operandi of using cracked software installers as an infection source for initial access mirrors similar cybercrime campaigns that have leveraged tools such as KMSPico, a popular utility for illegally activating Microsoft products. "Most infected users also had some form of crack for Windows (KMS) on their systems,'' the researchers noted.

The researchers indicated the level of infections spotted on a map, and the countries with the most infections presented were Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S.

The main feature of BHUNT is 'mscrlib.exe,' which exfiltrates further modules that are executed on a compromised system to perform different malicious activities. Each module is designed for a specific purpose ranging from stealing cryptocurrency wallets to stealing passwords. Using a modular approach, the threat actors can customize BHUNT for different campaigns or easily add new features. 

Once the attackers gain access to the wallet's seed or configuration file, they can use it to import the wallet on their own devices and steal the contained cryptocurrency. Although BHUNT's focus is clearly financial, its information-stealing capabilities could enable its operators to gather much more than just crypto-wallet data. 

"While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest passwords and cookies stored in browser caches. This might include account passwords for social media, banking, etc. that might even result in an online identity takeover," researchers added.

Bitdefender also published recommendations to avoid being infected with BHUNT or with other, similar password-stealing malware. To mitigate risks, users should simply avoid downloading pirated software, cracks, and illegitimate product activators.
Read more »
Ransomware
Crypto Currency Crypto Mining Crypto Wallets malware Password Stealer QNAP Ransomware

QNAP : New Crypto-Miner Targeting the NAS Devices

 

A new variant of crypto-mining malware is affecting QNAP's network-attached storage (NAS) devices, as per a new security advisory posted by the Taiwanese hardware firm QNAP. 

The firm did not reveal how the devices were infected, but it did state that once the malware had established a grip on affected systems, it would build a process called [oom reaper] that would consume about 50% of the CPU's entire use. 

QNAP stated, “This process mimics a kernel process but its PID is usually greater than 1000.” 

While the infections are being examined, QNAP advised customers to protect themselves by updating their devices' operating systems (known as QTS or QuTS) and all QNAP add-on software. Furthermore, the business advised users to change all of their NAS account passwords because it was unclear whether the attackers leveraged a vulnerability or just brute-forced an internet-connected device that used a weak password. 

QNAP advised customers to reboot their devices and download and install the company's "Malware Remover" tool from the device's built-in App Center to eliminate the infection. The company's advisory provides step-by-step instructions on how to complete all three procedures above. 

Malware attacks on QNAP systems in the past 

However, in retrospect, the Taiwanese corporation is being utilized by malware gangs to attack its devices. Ransomware strains such as Muhstik, Qlocker, eCh0raix, and AgeLocker have all targeted QNAP devices in recent years, with hackers obtaining access to client NAS systems, encrypting data, and then demanding minor ransom payments. 

Crypto-mining malware has been uncommon, however, it has been seen in the past. QNAP NAS devices were targeted by the Dovecat crypto-mining malware in late 2020 and early 2021, which exploited weak passwords to gain access to QNAP systems. In 2019 and 2020, the QSnatch malware targeted the company's NAS devices, infecting roughly 62,000 systems by mid-June 2020, as per CISA and the UK NCSC. 

QSnatch did not have crypto-mining functionality, but it did have an SSH password stealer and exfiltration capabilities, which were the primary reasons that national cybersecurity agencies in the United States, the United Kingdom, Finland, and Germany became involved and issued national alerts about the botnet's operations.
Read more »
Ethereum
Bitcoin BitMart Crypto Wallets Crypto-wallet Cryptocurrencies Data Breach digital currency Ethereum

BitMart Will Compensate Victims of $196 Million Hack

 

The global Cryptocurrency trading platform BitMart has recently witnessed a security breach in the wake of which the company has released a statement and confirmed that the hackers have managed to steal $150 million in various cryptocurrencies. Sheldon Xia, BitMart’s CEO, and founder confirmed the breach on Twitter. 

The company confirmed in the statement that although all wallets, except ETH and BSC, are “secure and unharmed,” Bitmart has temporarily paused all withdrawals until further notice. 

“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” the company said in a statement. 

Additionally, Sheldon Xia said that during the investigation they discovered that the cryptocurrencies were drained by using a stolen private key which usually enables a user to access their cryptocurrency.

Furthermore, the company’s intelligence confirmed that it will compensate victims, it will use its own assets to recompense victims of this large-scale security breach. As per the sources, hackers withdrew $150 million in assets. However, blockchain security and data analytics firm Peckshield, which first confirmed the attack, claims that the loss is closer to $200 million. 

Owing to the cyberattack, the trade volume of the company has gone down, CoinGecko CEO Bobby reported. “Crypto exchange hacks are fairly common. Exchanges are a honeypot for hackers because of the high potential payoff for any successful exploit,” he said.

Bitmart was created by cryptocurrency enthusiasts, the roadmap began in November 2017. It has worldwide offices, with the company being registered in the Cayman Islands. The platform offers a mix of spot trading, OTC trading, leveraged futures trading as well as lending and staking services, and other services for digital assets. Also, in April, Bitmart registered with US regulators and was named MSB. 


Read more »
Subscribe to: Posts (Atom)