The Good Tech Companies - 5 New Malware Techniques to Steal Your Crypto (2024)

Starting point is 00:00:00 This audio is presented by Hacker Noon, where anyone can learn anything about any technology. 5 New Malware Techniques to Steal Your Crypto, 2024, by Obite Cybercriminals never stop innovating, and they're especially attracted to cryptocurrencies. Maybe you're on your merry way exploring the internet without knowing how many landmines you're about to step on. It never hurts to be careful and keep up to date on the latest security trends when it's about protecting your crypto funds. To give you an idea of how big this evil business is for malicious parties, according to Chainalysis, around $24.2 billion was received by illicit crypto dresses

Starting point is 00:00:36 in 2023. Don't be part of the next number. Let's see some new malware techniques you should be aware of this year and how to protect yourself against them. A backdoor in macOS. It's not exactly a good idea to download applications from non-official sites, and this is a great example of why. Cybersecurity firm Kaspersky Lab discovered earlier this year a new threat targeting macOS users' cryptocurrency wallets, which was hidden in pirated software available on torrent and pirating websites. When users install these seemingly free programs, they are unknowingly allowing malware onto their computers. The initial step involves an app called Activator, which prompts users to provide administrative access. This gives the malware the necessary permissions to install itself and

Starting point is 00:01:21 disable the normal function of the pirated software, tricking users into thinking they need this activator to make the software work. Nance installed, the malware contacts a remote server to download further malicious instructions. These instructions help the malware create a backdoor, giving hackers continuous access to the infected computer. The main goal of this malware is to steal cryptocurrency. It replaces legitimate wallet apps like Exodus and Bitcoin QT with infected versions. These altered apps then capture sensitive information, such as recovery phrases and wallet passwords, and send them to the hackers, effectively draining your crypto funds. A suspicious, activator, installer has appeared just after you obtained a, free, app? Don't provide it with access

Starting point is 00:02:05 and uninstall it right away. Vortex, Web3 Games, and Markopolo. The Vortex campaign is a deceptive malware operation targeting cryptocurrency users, discovered by recorded futures researchers. The cybercriminals behind this scheme use fake but legitimate-looking apps to infect both Windows and macOS devices with information-stealing malware. Posing as a virtual meeting software called Vortex, the app appears credible with a website indexed by search engines, a blog with AI-generated articles, and social media accounts on platforms like X, Telegram, and Discord. The threat actor engages with potential victims in cryptocurrency-themed discussions, directing them to download the Vortex app under the guise of joining a virtual meeting.

Starting point is 00:02:50 Once users follow the provided instructions, they're redirected to download links that install the Vortex software. However, instead of a functional app, the installation files deliver malware such as Ratamunthes, Steelg, or Atomic Stealer, Amos. The Vortex app seems non-functional due to deliberate errors, while in the background, the malware starts stealing sensitive information, including passwords and seed phrases. Further investigation revealed that the Vortex campaign is linked to multiple domains hosting similar malicious applications and fake Web3 games, suggesting a well-organized effort by the threat actor, identified as Marco Polo. Marco Polo's tactics include leveraging social

Starting point is 00:03:31 media and messaging platforms to distribute their malware, also masquerading as brands in games like VDEC, Mindspeak, Argon Game, Dustfighter, and Astration. This strategy not only broadens their reach but also increases the likelihood of users being duped into downloading the malicious software. The campaign's sophistication and adaptability imply that future attacks may become even more prevalent, highlighting the need for users to exercise caution when downloading third-party software especially if they seem suspiciously insistent about it. Patoilor, a trap for Python devs. Sonotype researchers have uncovered a new threat targeting cryptocurrency users through a malicious Python package called Patoilor.

Starting point is 00:04:12 Disguised as a legitimate API management tool, Patoilor deceives users into downloading it from the Python package index, PIPI. Once installed, the package secretly retrieves and installs harmful software designed to steal cryptocurrency by accessing sensitive information stored on the victim's device. The malicious package was cleverly hidden within seemingly innocent code. It downloaded a dangerous executable file that, once executed, carried out various malicious activities. These included modifying system settings, maintaining a presence on the device to avoid detection, and, most importantly, attempting to steal cryptocurrency from wallets and accounts associated with popular services like Binance, Coinbase, and Crypto.com.

Starting point is 00:04:55 By accessing browser data and other financial details, the malware could siphon off digital assets without the victim's knowledge. NTHE distribution of Batoilor involves social engineering tactics, including exploiting community platforms like Stack Overflow to lure developers into downloading the package under the guise of solving technical problems. This incident is part of a broader, cool package campaign, indicating an ongoing effort by cyber criminals to target cryptocurrency users through sophisticated and evolving methods. MEND, IO, another security firm, has identified over 100 malicious packages on PIPI libraries. Developers can avoid malicious packages by downloading from trusted sources,

Starting point is 00:05:36 verifying package integrity, and reviewing the code before use. Staying updated with security advisories and using automated security tools also helps. P2P Infect, a swarming threat. P2P Infect, identified by Cato Security, is a sophisticated malware leveraging Aper to peer botnet for control. In other words, the malware detects if a computer belongs to a network and infects all of the joint devices to communicate and control each other directly without relying on a central server. Initially appearing dormant, its updated form now includes ransomware and crypto mining capabilities. Upon infection, it primarily spreads through vulnerabilities in Redis, a popular database system, allowing the malware to execute arbitrary

Starting point is 00:06:20 commands and propagate itself across connected systems. The botnet feature ensures rapid distribution of updates, maintaining an extensive network of compromised devices in a whole company, for example. Victims usually encounter P2 Pinfect via insecure Redis configurations or through limited SSH, secure shell, attempts to manage remote systems with common credentials. Once active on a victim's system, P2 Pinfect installs a crypto minotaur getting them a narrow cryptocurrency. This miner activates after a brief delay and generates cryptocurrency using the system's resources, coveredly funneling earnings to the attacker's wallet and slowing the device's

Starting point is 00:06:59 capabilities. NTHE ransomware component encrypts, blocks, files and demands a crypto payment to retrieve them, though its effectiveness is limited due to the typical permissions of infected Redis servers. The attacker's Monero wallet has accumulated approximately 71 XMR, equivalent to about $12,400. This illustrates the financial success of the campaign despite the potentially limited impact of the ransomware due to the typical low-value data stored by Redis. To avoid this malware, remember to secure Redis configurations and regularly monitor for unusual activity. Fake Agor Trade and Other Malicious Extensions The fake Agor Trade Chrome extension, described by the security firm Slow Mist, was a malicious tool that tricked users into losing

Starting point is 00:07:44 significant amounts of cryptocurrency. The extension masqueraded as a legitimate trading by the security firm Slow Mist, was a malicious tool that tricked users into losing significant amounts of cryptocurrency. The extension masqueraded as a legitimate trading tool, AgriTrade, but was designed only to steal funds. Users unknowingly installed it, which then exploited their access to cryptocurrency exchanges and trading platforms by hijacking sensitive information, passwords and credentials. The extension functioned by capturing cookies and other session data, which allowed it to mimic users' logins and conduct unauthorized transactions. Thistled to the theft of around $1 million in total, it was distributed through deceptive tactics via social media and marketing promotion that lured victims into

Starting point is 00:08:19 downloading and installing it, often from unofficial or suspicious sources. And this specific threat was taken down already, but it's just a meager example among numerous attempts. Currently, several other malicious Chrome extensions are posing as genuine trading services aimed at stealing crypto. To protect yourself, only install extensions from trusted sources, regularly check permissions, and monitor your accounts for unusual activity. Also, remember that all browser extensions are able to track your entire browsing history, see what you are doing on each site, and steal cookies and other private data. Using hardware or paper wallets for substantial amounts and keeping security software updated

Starting point is 00:08:59 can also enhance your protection against such threats. Protection Measures To protect against crypto-stealing malware like these, you can apply some basic measures Install from trusted sources. Only use extensions and software from reputable sources and official websites. Verify reviews and permissions before installation. N. Install as little software as possible. Before installing another app or browser extension on your desktop computer, think again if you really need it. Maybe you can achieve your goals with the existing software? It's safer on mobile platforms where each app is sandboxed, though.

Starting point is 00:09:34 N. Regular security checks. Frequently review and remove unused extensions or software. Regularly check for unusual activity in your crypto accounts, online and offline, and system. n. Use strong authentication. Enable two-factor authentication 2FA on your accounts to add an extra layer of security. In Obite wallets, you can do this by creating a multi-device account from the main menu or setting a spending password in settings. n. Employ anti-malware tools. Use up-to-date antivirus and anti-malware tools to detect and block online and offline threats. N. Secure your crypto. Store significant

Starting point is 00:10:12 crypto assets in hardware or paper wallets to reduce exposure to online threats. Through the Obite wallet, you can easily create your own paper wallet by generating a text coin, 12 random words, writing it down, and then deleting or blocking the software itself until you need to spend the funds. And inside Obite and beyond, ensure you're using secure and verified wallets and follow these best practices to protect your assets. Featured vector image by Freepik, and thank you for listening to this HackerNoon story, read by Artificial Intelligence. Visit HackerNoon.com to read, write, learn and publish.

The Good Tech Companies - 5 New Malware Techniques to Steal Your Crypto (2024)

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.